NorthwaveSecurity / passwordstate-decryptor

PowerShell script that decrypts password entries from a Passwordstate server.
24 stars 5 forks source link

Help working with exported CSV #3

Open 7MinSec opened 8 months ago

7MinSec commented 8 months ago

Hello,

I compromised a SQL backup of a PasswordState database as part of a pentest, and am trying to get the juicy info decrypted! I have the whole database restored into a SQLEXPRESS database in my lab. I also have the original web.config from the compromised server.

I'm kind of stuck here as I'm not sure which is my path of least resistance. If I go the route of CSV export, I can feed the tool the SECRET3 key by querying it right in SQL, but I'm not really sure how to manually get the SECRET1 value?

I also tried using the tool and pointing it to my SQLEXPRESS instance with a connection string, but that's causing me errors.

Could you point me in the right direction?

7MinSec commented 8 months ago

Ahhh I think I see what I'm up against. Admins of the system have the option of encrypting connection info and other strings here (https://forums.clickstudios.com.au/topic/2699-encrypting-and-decrypting-the-webconfig-file/#comment-7535) so I'll have to work with that first I think.

7MinSec commented 8 months ago

OK I think I'm chasing my tail here. Client has latest/greatest and this changelog implies the known password decryption vulns have beeen fixed: https://www.clickstudios.com.au/passwordstate-changelog.aspx.