During one of our recent red teaming engagements we managed to get a foothold in a customer’s domain. While gathering information we stumbled upon a hidden backup share on one of the servers. The hidden share contained a database and webroot backup for the PasswordState (website) password vault! PasswordState is an enterprise password management solution. This means we hit the jackpot, for obvious reasons.
Searching the Internet for a way to decrypt all password did not yield any results, so we decided to look into the product and write our own!
This post starts with an overview how the encryption works and ends with a ready-to-go PowerShell script to use during your red teaming engagements.
PasswordState installs itself to
C:\inetpub\PasswordState by default. In this directory, the web application and service source code is installed. The
C:\inetpub\Passwordstate\bin contains the executable file
Passwordstate.exe, which is also the service binary. This is a perfect binary for starting our reverse engineering efforts, since this most likely contains either a reference to the code that decrypts passwords, or a reference to that code.
Reversing password encryption
The binary is a .NET Framework 4.5 binary. Using dnSpy it’s possible to decompile this binary into (mostly) readable source code. The binary contains several namespaces, the most interesting being
PasswordstateService. This namespace contains the service class
Looking through the methods of this class, the
AddPassword function stands out. This function adds a password to the password database, encrypting the plaintext in the process. The decompiled code snippet below shows where the application encrypts the password before storing it in the database.