Certificates Parsing Error

[chr1s-uni]

Hey,
I am trying to do a simple PoC of extracting certificates from the certificate store. I created a dummy cert and imported it into the user certificate store. I can see it being created on disk but several tools failed to retrieve it.

I get the error of, when trying to insert a blob file:

dploot blob -t <ip> -u "admin" -p "password" -blob <blob>

dploot (https://github.com/zblurx/dploot) v3.1.2 by @_zblurx
[*] Connected to <ip> as \admin (admin)

[*] Triage ALL USERS masterkeys

<redacted> found 1 key

[*] Trying to decrypt DPAPI blob

[-] Got error: ('unpack requires a buffer of 4 bytes', "When unpacking field 'CryptAlgo | <L=0 | b''[:4]'")
[-] Use -debug to print a stacktrace

And when doing full scan:

└─$ dploot certificates -t <ip> -u "admin" -p "password" -debug                                                             
dploot (https://github.com/zblurx/dploot) v3.1.2 by @_zblurx
[+] options=Namespace(action='certificates', mkfile=None, pvk=None, passwords=None, nthashes=None, dump_all=False, target='<ip>', domain=None, username='admin', password='password', debug=True, quiet=False, export_dir=None, hashes=None, no_pass=False, k=False, aesKey=None, use_kcache=False, kdcHost=None, dc_ip=None, localroot='.')
[+] Connecting to <ip>
[+] Authenticating with admin through NTLM
[*] Connected to <ip> as \admin (admin)

[*] Triage ALL USERS masterkeys

[+] Found MasterKey: \\<ip>\C$\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1868900673-3697123319-3785479862-1001\4d65fe5b-9382-440d-a91a-5acffe879d93
{4d65fe5b-9382-440d-a91a-5acffe879d93}:e6bfa00f5a3a0664ac9776389cbac12e224ee726
[+] Found MasterKey: \\<ip>\C$\Users\User\AppData\Roaming\Microsoft\Protect\S-1-5-21-1868900673-3697123319-3785479862-1000\ba7c7dfc-51b2-40af-bf82-25cff2cad2ca

[*] Triage Certificates for ALL USERS

[+] Found PrivateKey Blob: \\<ip>\C$\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1868900673-3697123319-3785479862-1001\0f5007522459c86e95ffcc62f32308f1_b5bf29b1-1c8f-4106-be1c-f9c635bf3bf4
[+] Found Certificates Blob: \\<ip>\C$\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\26F56DBCDEFE8EA5B24A75DB40DAA878F8EB7CD7

Does anyone know the issue? Maybe microsoft changed the format of the blob files, it seems odd to me

[zblurx]

Hey, what is the Windows version you are testing on ?
Also, on the dploot certificates, do you have a stack trace ?

[chr1s-uni]

I tested on:

Windows 11 Enterprise Evaluation Version 10.0.22621 Build 22621 and
Windows 11 Pro 10.0.26100 Build 26100

I also tried other tools like impacket-dpapi but always get [-] Got error: ('unpack requires a buffer of 4 bytes', "When unpacking field 'CryptAlgo | <L=0 | b''[:4]'")

Decrypting credentials and masterkeys works fine with both tools (dploot and impacket-dpapi), the problem seems to affect only certificates

dploot certificates does not print a stacktrace, the only output I get is seen as above. It only finds the certificate/private key and does nothing. I would assume it's the same unpack error but it does not print it.