private static void PrintVaultCreds()
{
try
{
Beaprint.MainPrint("Checking Windows Vault");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-manager-windows-vault");
var vaultCreds = VaultCli.DumpVault();
var colorsC = new Dictionary <string, string>()
{
{ "Identity.*|Credential.*|Resource.*", Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(vaultCreds, colorsC, true, true);
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// pulled directly from @djhohnstein's SharpWeb project: https://github.com/djhohnstein/SharpWeb/blob/master/Edge/SharpEdge.cs
var OSVersion = Environment.OSVersion.Version;
Type VAULT_ITEM;
//if (OSMajor >= 6 && OSMinor >= 2)
if (OSVersion > new Version("6.2"))
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN8);
}
else
{
VAULT_ITEM = typeof(VaultCli.VAULT_ITEM_WIN7);
}
var vaultCount = 0;
var vaultGuidPtr = IntPtr.Zero;
var result = VaultCli.VaultEnumerateVaults(0, ref vaultCount, ref vaultGuidPtr);
//var result = CallVaultEnumerateVaults(VaultEnum, 0, ref vaultCount, ref vaultGuidPtr);
if (result != 0)
{
WriteError("Unable to enumerate vaults. Error (0x" + result + ")");
yield break;
}
// Create dictionary to translate Guids to human readable elements
var guidAddress = vaultGuidPtr;
var vaultSchema = new Dictionary <Guid, string>
{
{ new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note" },
{ new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential" },
{ new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector" },
{ new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials" },
{ new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials" },
{ new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential" },
{ new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential" },
{ new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential" },
{ new Guid("00000000-0000-0000-0000-000000000000"), null }
};
for (var i = 0; i < vaultCount; i++)
{
// Open vault block
var vaultGuidString = Marshal.PtrToStructure(guidAddress, typeof(Guid));
var vaultGuid = new Guid(vaultGuidString.ToString());
guidAddress = (IntPtr)(guidAddress.ToInt64() + Marshal.SizeOf(typeof(Guid)));
var vaultHandle = IntPtr.Zero;
string vaultType;
vaultType = vaultSchema.ContainsKey(vaultGuid) ? vaultSchema[vaultGuid] : vaultGuid.ToString();
result = VaultCli.VaultOpenVault(ref vaultGuid, (uint)0, ref vaultHandle);
if (result != 0)
{
WriteError("Unable to open the following vault: " + vaultType + ". Error: 0x" + result);
continue;
}
// Vault opened successfully! Continue.
var entries = new List <VaultEntry>();
// Fetch all items within Vault
var vaultItemCount = 0;
var vaultItemPtr = IntPtr.Zero;
result = VaultCli.VaultEnumerateItems(vaultHandle, 512, ref vaultItemCount, ref vaultItemPtr);
if (result != 0)
{
WriteError("Unable to enumerate vault items from the following vault: " + vaultType + ". Error 0x" + result);
continue;
}
var structAddress = vaultItemPtr;
if (vaultItemCount > 0)
{
// For each vault item...
for (var j = 1; j <= vaultItemCount; j++)
{
// Begin fetching vault item...
var currentItem = Marshal.PtrToStructure(structAddress, VAULT_ITEM);
structAddress = (IntPtr)(structAddress.ToInt64() + Marshal.SizeOf(VAULT_ITEM));
var passwordVaultItem = IntPtr.Zero;
// Field Info retrieval
var schemaIdInfo = currentItem.GetType().GetField("SchemaId");
var schemaId = new Guid(schemaIdInfo.GetValue(currentItem).ToString());
var pResourceElementInfo = currentItem.GetType().GetField("pResourceElement");
var pResourceElement = (IntPtr)pResourceElementInfo.GetValue(currentItem);
var pIdentityElementInfo = currentItem.GetType().GetField("pIdentityElement");
var pIdentityElement = (IntPtr)pIdentityElementInfo.GetValue(currentItem);
var dateTimeInfo = currentItem.GetType().GetField("LastModified");
var lastModified = (ulong)dateTimeInfo.GetValue(currentItem);
var pPackageSid = IntPtr.Zero;
if (OSVersion > new Version("6.2"))
{
// Newer versions have package sid
var pPackageSidInfo = currentItem.GetType().GetField("pPackageSid");
pPackageSid = (IntPtr)pPackageSidInfo.GetValue(currentItem);
result = VaultCli.VaultGetItem_WIN8(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, pPackageSid, IntPtr.Zero, 0, ref passwordVaultItem);
}
else
{
result = VaultCli.VaultGetItem_WIN7(vaultHandle, ref schemaId, pResourceElement, pIdentityElement, IntPtr.Zero, 0, ref passwordVaultItem);
}
if (result != 0)
{
WriteError("Could not retrieve vault vault item. Error: 0x" + result);
continue;
}
var passwordItem = Marshal.PtrToStructure(passwordVaultItem, VAULT_ITEM);
var pAuthenticatorElementInfo = passwordItem.GetType().GetField("pAuthenticatorElement");
var pAuthenticatorElement = (IntPtr)pAuthenticatorElementInfo.GetValue(passwordItem);
try
{
// Fetch the credential from the authenticator element
var cred = GetVaultElementValue(pAuthenticatorElement);
object packageSid = null;
if (pPackageSid != IntPtr.Zero && pPackageSid != null)
{
packageSid = GetVaultElementValue(pPackageSid);
}
if (cred != null) // Indicates successful fetch
{
if (Runtime.FilterResults)
{
if (String.IsNullOrEmpty(cred.ToString().TrimEnd()))
{
continue;
}
}
var entry = new VaultEntry();
var resource = GetVaultElementValue(pResourceElement);
if (resource != null)
{
entry.Resource = $"{resource}";
}
var identity = GetVaultElementValue(pIdentityElement);
if (identity != null)
{
entry.Identity = $"{identity}";
}
if (packageSid != null)
{
entry.PackageSid = $"{packageSid}";
}
entry.Credential = $"{cred}";
entry.LastModified = DateTime.FromFileTimeUtc((long)lastModified);
entries.Add(entry);
}
}
catch (Exception e)
{
WriteError("Exception: " + e.Message);
continue;
}
}
}
yield return(new WindowsVaultDTO()
{
VaultGUID = vaultGuid,
VaultType = vaultType,
VaultEntries = entries
});
}
}
