We have been provided with a KeePass password database in version 1.x KDB. To obtain this information, simply use the file command.
KeePass is a free, open-source password manager that securely stores your credentials in an encrypted database using AES or Twofish encryption. It requires a master password, key file, or both to access the data, ensuring robust protection against unauthorized access.
Tool
kpcli (KeePass Command-Line Interface) is a command-line tool designed to access and manage KeePass password databases. It supports KeePass version 1.x KDB files and allows users to perform tasks such as viewing, adding, and editing entries directly from the terminal. This tool is particularly useful for users who prefer scripting or require automated access to their password databases without a GUI.
Installation
$ sudo apt-get install kpcli
┌──(zwique㉿kali)-[~/Downloads]
└─$ kpcli -h
Usage: kpcli [--kdb=<file.kdb>] [--key=<file.key>]
--kdb=s Optional KeePass database file to open (must exist).
--key=s Optional KeePass key file (must exist).
--pwfile=s Read master password from file instead of console.
--histfile=s Specify your history file (or perhaps /dev/null).
--readonly Run in read-only mode; no changes will be allowed.
--timeout=i Lock interface after i seconds of inactivity.
--command=s Run a command and exit (no interactive session).
Multiple --command parameters can be used.
--no-recycle Don't store entry changes in /Backup or "/Recycle Bin".
--pwwords=s File of words for building word-based passwords.
--pwsplchars=s The special characters used in password generation.
--pwlen=i Length of generated passwords (default is 20).
--pwscmin=i Min number of special chars in generated passwords.
--pwscmax=i Max number of special chars in generated passwords.
--nopwstars Don't show star characters (*) for password input.
--nopwprint Don't print the pw red on red in the show command.
--xpxsecs=i Seconds to wait until clearing the clipboard for xpx.
--xclipsel=s X11 clipboard to use; "--xclipsel help" for choices.
--kpxcexe=s Path to a KeePassXC binary, used to import KDBX4 files.
--help This message.
Run kpcli with no options and type 'help' at its command prompt to learn
about kpcli's commands.
As shown in the help command, it asks for the master password of the database. We'll use the tools keepass2john and johntheripper to brute force the KeePass master password.
This command extracts the password hash from a KeePass database (NewDatabase) and outputs it to a file named kp. The extracted hash is in a format that can be used by cracking tools like johntheripper.
┌──(zwique㉿kali)-[~/Downloads]
└─$ john --wordlist=~/Desktop/rockyou.txt -format:keepass kp
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
p77777 (NewDatabase)
1g 0:00:01:44 DONE (2025-01-25 06:01) 0.009576g/s 7974p/s 7974c/s 7974C/s pablo#1..p0000000
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Login
┌──(zwique㉿kali)-[~/Downloads]
└─$ kpcli --kdb=NewDatabase
Provide the master password: *************************
Logging into the database with the master password `p77777`.
Steps to capture the flag
kpcli:/> ls
=== Groups ===
General/
kpcli:/> cd General/
kpcli:/General> ls
=== Groups ===
eMail/
Homebanking/
Internet/
Network/
Windows/
=== Entries ===
0. Flag
kpcli:/General> show 0
Title: Flag
Uname:
Pass: Flag is BAD_PASSWORD
URL:
Notes:
kpcli:/General> get 0 Notes
kpcli:/General>
# flag is in correct format will look like -> HZU18{BAD_PASSWORD}
