> For the complete documentation index, see [llms.txt](https://zwique.gitbook.io/zwique_notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zwique.gitbook.io/zwique_notes/writeups/random-ctf-writeup/local/guess-a-password.md). # Guess a password ## Problem We have been provided with a `KeePass` password database in version 1.x KDB. To obtain this information, simply use the `file` command. {% file src="/files/6XRIZqETNyXsrkGuxkz0" %} KeePass is a free, open-source password manager that securely stores your credentials in an encrypted database using AES or Twofish encryption. It requires a master password, key file, or both to access the data, ensuring robust protection against unauthorized access. ### Tool > `kpcli` (KeePass Command-Line Interface) is a command-line tool designed to access and manage KeePass password databases. It supports KeePass version 1.x KDB files and allows users to perform tasks such as viewing, adding, and editing entries directly from the terminal. This tool is particularly useful for users who prefer scripting or require automated access to their password databases without a GUI. #### Installation `$ sudo apt-get install kpcli` ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ kpcli -h Usage: kpcli [--kdb=] [--key=] --kdb=s Optional KeePass database file to open (must exist). --key=s Optional KeePass key file (must exist). --pwfile=s Read master password from file instead of console. --histfile=s Specify your history file (or perhaps /dev/null). --readonly Run in read-only mode; no changes will be allowed. --timeout=i Lock interface after i seconds of inactivity. --command=s Run a command and exit (no interactive session). Multiple --command parameters can be used. --no-recycle Don't store entry changes in /Backup or "/Recycle Bin". --pwwords=s File of words for building word-based passwords. --pwsplchars=s The special characters used in password generation. --pwlen=i Length of generated passwords (default is 20). --pwscmin=i Min number of special chars in generated passwords. --pwscmax=i Max number of special chars in generated passwords. --nopwstars Don't show star characters (*) for password input. --nopwprint Don't print the pw red on red in the show command. --xpxsecs=i Seconds to wait until clearing the clipboard for xpx. --xclipsel=s X11 clipboard to use; "--xclipsel help" for choices. --kpxcexe=s Path to a KeePassXC binary, used to import KDBX4 files. --help This message. Run kpcli with no options and type 'help' at its command prompt to learn about kpcli's commands. ``` As shown in the help command, it asks for the master password of the database. We'll use the tools `keepass2john` and `johntheripper` to brute force the KeePass master password. ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ keepass2john NewDatabase > kp ``` This command extracts the password hash from a KeePass database (`NewDatabase`) and outputs it to a file named `kp`. The extracted hash is in a format that can be used by cracking tools like `johntheripper`. ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ john --wordlist=~/Desktop/rockyou.txt -format:keepass kp Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64]) Cost 1 (iteration count) is 6000 for all loaded hashes Cost 2 (version) is 1 for all loaded hashes Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status p77777 (NewDatabase) 1g 0:00:01:44 DONE (2025-01-25 06:01) 0.009576g/s 7974p/s 7974c/s 7974C/s pablo#1..p0000000 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` #### Login ```bash ┌──(zwique㉿kali)-[~/Downloads] └─$ kpcli --kdb=NewDatabase Provide the master password: ************************* ``` Logging into the database with the master password \`p77777\`. Steps to capture the flag ```bash kpcli:/> ls === Groups === General/ kpcli:/> cd General/ kpcli:/General> ls === Groups === eMail/ Homebanking/ Internet/ Network/ Windows/ === Entries === 0. Flag kpcli:/General> show 0 Title: Flag Uname: Pass: Flag is BAD_PASSWORD URL: Notes: kpcli:/General> get 0 Notes kpcli:/General> # flag is in correct format will look like -> HZU18{BAD_PASSWORD} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zwique.gitbook.io/zwique_notes/writeups/random-ctf-writeup/local/guess-a-password.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.