[wildmusings]

Note that this is not a vulnerability. You are supposed to be able to extract plaintext secrets with the Data Protection API if you are logged in as the user who the secret belongs to. That is the whole point.

I’m not sure the author knows this. He points out that this is useful for post-exploitation data gathering. That is, you’ve already compromised a machine/account and are looking to gather as much potentially useful information as possible. But he puts “securely” in scare quotes, which is not honest because this is secure storage: if you’re not authenticated, the key can’t be read. The encryption key is derived from the user password, so it can’t be defeated by offline reading either.

[jve]

Yep. He just manually accessed stuff (de-obfuscated some layers) he had already access to. Try to do it with another user on the same system and then call it a day/vulnerability. If you, as a user, store some secrets, you have to eventually read them (i.e saved credentials)

This quote actually summarizes it:

> I wasn’t very familiar with DPAPI

Well, neither do I, but at least know the basics!https://en.wikipedia.org/wiki/Data_Protection_API

[munchbunny]

You are supposed to be able to extract plaintext secrets with the Data Protection API if you are logged in as the user who the secret belongs to.

Yup. It's like saying you're able to read the private key out of ~/.ssh/id_rsa because you're logged in as the user, though with more steps because you need to deserialize the key from the internal representation. If you want this to not be possible even when logged in as the user, then use a hardware token like a smart card or smart-card-capable security key.

Could still be useful for post-exploitation as the OP mentions.

[Spooky23]

Especially when you consider that the common practice on Windows is to use less secure alternatives like Putty that are high risk for trojans.

Unless they are on smartcards, there's always a way to compromise keys like this.

[TheRealPomax]

There isn't even a "compromised" situation here: this is literally how it's meant to work.

Admin accounts have access to everything, whether that's the registry, or a subdir in your user profile dir. That's the whole point of admin rights. Whether your private key is in a file in an .ssh dir or stored in the registry, admins can always get to them.