The Password Manager

This challenge was quiet cool as I never played with 1password vault before. Still, this was again a bruteforce :(.

So, we got a 1password (opvault format) vault, and a test one with given password test.

Looks like one tool for playing with opvault vaults is available on GitHub.

Let’s take our favorite wordlist and test it.

Note: the following code is not optimized at all (not even parallelized) but did the job:

#!/usr/bin/env python3
from opvault.onepass import OnePass
from opvault import exceptions
from opvault import designation_types
from pwn import *'Load Password file')
with open('10k_most_common.txt','r', encoding='utf-8') as f:
    logger = log.progress('Testing ')
    for p in f.readlines():
        master_password = p.strip()

            vault = OnePass('testvault.opvault')
        except exceptions.OpvaultException:

            for item in vault.getItems().keys():
                overview, details = vault.get_item(item)
                password = [field['value'] for field in details['fields']
                            if field['designation'] == designation_types.DesignationTypes.PASSWORD][0]

      "%s : %s" % (item,password))

So we first tested with the given test vault, and got :

$ ./
[*] Load Password file
[+] Testing : test
[*] {'google': '44E01EB2B88D40989B11B2BD7D19EB19'}
[*] google : yougotmypass

in a matter of seconds. Let’s try the other vault with the same small wordlist before using rockyou :

$ ./
[*] Load Password file
[+] Testing : starwars
[*] {'flag': '93B5051CDEAE418F9D2C2F224B33EF1F'}
[*] flag : flag{Wow_You_CRACKED-the-VAULT}