This project just follows this excellent write-up from MDSec: Analysing LastPass, Part 1.
https://www.lastpass.com/Click the "Get LastPass Free" button.
Fill in the form, as shown below.
Use a disposable email address, such as YOURNAME@mailinator.com.
Click the "Sign Up-It's Free" button.
Click the "Install LastPass" button, as shown below.
Click the "Add to Chrome" button. Click "Add extension".
Add a fake password with these values, as shown below:
There are several Chrome processes, as shown below.
Hover the mouse over a Chrome process to see its command line.
Find the process with this switch, outlined in red in the image below:
Right-click that process and click Properties.
In the Properties sheet, click the Job tab.
Find the PID (Process ID). When I did it, the PID was 2684, as shown below.
From the menu bar, click Tools, "Open main memory...".
Find the Process ID of the process containing the LastPass extension, as shown below, and double-click it.
In HxD, click Search, Find.
In the "Search for" field, enter testpassword1234, as shown below.
Click the "Search all" button.
F 211.1: Password Label (15 pts)The flag is the word before your unencrypted password, covered by a green rectangle in the image below.
https://www.keepersecurity.comAt the top right, click "Try it Free".
Click "Personal and Family".
Enter a disposable email address ending in mailinator.com and click "Try it Free Now".
Create an account, log in, and add a password to your Vault containing the string CCSF#.
Install the Browser Extension.
Leave Firefox open.
F 211.2: Finding the Process Containing Private Data (10 pts)It's difficult to find the correct Firefox process. You don't always see the same indicator. Look for one of these clues:
In HxD, search that Firefox process for the string "CCSF#" in Unicode, as shown below.
- A DLL with a name containing "keepersecurity" or "formautofill"
- A handle to File \Device\KsecDD
The flag is covered by a green rectangle in the image below.
Keeper added 11-3-22
Lastpass link fixed 11-29-22
Flag 2 changed 12-3-22
Flag 1 changed and video added 4-24-23
Flag 2 changed 5-4-23