From f8b44d21b33aac1ebbee146ae14a0aabdfe91be1 Mon Sep 17 00:00:00 2001
From: mverschu <mathijs.verschuuren@whitehats.nl>
Date: Wed, 18 Feb 2026 19:59:57 +0100
Subject: [PATCH] Fix DPAPI credential lookup: add lowercase username for
 dploot compatibility

dploot looks up credentials with user.lower() (e.g. 'administrator'), but we
only stored them under context.username (e.g. 'Administrator'). Python dict
lookups are case-sensitive, so the credential wasn't found and master keys
were never decrypted.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 nxc/protocols/smb/dpapi.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nxc/protocols/smb/dpapi.py b/nxc/protocols/smb/dpapi.py
index 9cbde5262a..8fe5760c8e 100644
--- a/nxc/protocols/smb/dpapi.py
+++ b/nxc/protocols/smb/dpapi.py
@@ -60,8 +60,10 @@ def collect_masterkeys_from_target(context, target, dploot_connection, user=True
         nthashes = {username: nt.split(":")[1] if ":" in nt else nt for _, _, username, nt, _, _ in context.db.get_credentials(cred_type="hash")}
         if context.password != "":
             plaintexts[context.username] = context.password
+            plaintexts[context.username.lower()] = context.password  # dploot matches user.lower()
         if context.nthash != "":
             nthashes[context.username] = context.nthash
+            nthashes[context.username.lower()] = context.nthash
 
     # Collect User and Machine masterkeys
     try: