Insider
3 minutes to read
We are given a folder called Mozilla with a lot of Firefox files:
$ find Mozilla -type f
Mozilla/Firefox/installs.ini
Mozilla/Firefox/profiles.ini
Mozilla/Firefox/Profiles/yodxf5e0.default/times.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionstore-backups/recovery.baklz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionstore-backups/recovery.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/weave/failed/tabs.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/weave/toFetch/tabs.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/favicons.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/compatibility.ini
Mozilla/Firefox/Profiles/2542z9mo.default-release/favicons.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/addons.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/logins.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/search.json.mozlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionCheckpoints.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/pkcs11.txt
Mozilla/Firefox/Profiles/2542z9mo.default-release/times.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/extension-preferences.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/addonStartup.json.lz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/crashes/store.json.mozlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/key4.db
Mozilla/Firefox/Profiles/2542z9mo.default-release/webappsstore.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/protections.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/places.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/security_state/data.safe.bin
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/state.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/aborted-session-ping
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/session-state.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604498649754.5212ab6a-268f-4c2b-aa0b-cf46c3d1dc71.event.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604509449817.7d32a9b1-03f4-4155-8f99-ebd1cceb30d5.event.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604496849746.014e92ae-cb57-4c0e-a97c-66ffa45bfe20.new-profile.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/datareporting/archived/2020-11/1604507415845.36b506e6-3dea-4646-8ae3-62e9fd1b4692.main.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/broadcast-listeners.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/cookies.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/places.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/containers.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/formhistory.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/default/moz-extension+++7b958ab1-a8d2-4943-8833-5185e9a8d9d0^userContextId=4294967295/idb/3647222921wleabcEoxlt-eengsairo.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/default/moz-extension+++7b958ab1-a8d2-4943-8833-5185e9a8d9d0^userContextId=4294967295/.metadata-v2
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3561288849sdhlie.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/1451318868ntouromlalnodry--epcr.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/2823318777ntouromlalnodry--naod.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/1657114595AmcateirvtiSty.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/2918063365piupsah.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage/permanent/chrome/.metadata-v2
Mozilla/Firefox/Profiles/2542z9mo.default-release/extensions.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/handlers.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/bookmarkbackups/bookmarks-2020-11-04_11_Xwf6HUY0M1+1NgBa9qQfXA==.jsonlz4
Mozilla/Firefox/Profiles/2542z9mo.default-release/content-prefs.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-gmpopenh264/1.8.1.1/gmpopenh264.info
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-gmpopenh264/1.8.1.1/gmpopenh264.dll
Mozilla/Firefox/Profiles/2542z9mo.default-release/permissions.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/widevinecdm.dll
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/widevinecdm.dll.lib
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/manifest.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/widevinecdm.dll.sig
Mozilla/Firefox/Profiles/2542z9mo.default-release/gmp-widevinecdm/4.10.1582.2/LICENSE.txt
Mozilla/Firefox/Profiles/2542z9mo.default-release/favicons.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/webappsstore.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/cert9.db
Mozilla/Firefox/Profiles/2542z9mo.default-release/parent.lock
Mozilla/Firefox/Profiles/2542z9mo.default-release/xulstore.json
Mozilla/Firefox/Profiles/2542z9mo.default-release/webappsstore.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/prefs.js
Mozilla/Firefox/Profiles/2542z9mo.default-release/SiteSecurityServiceState.txt
Mozilla/Firefox/Profiles/2542z9mo.default-release/storage.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/places.sqlite
Mozilla/Firefox/Profiles/2542z9mo.default-release/cookies.sqlite-shm
Mozilla/Firefox/Profiles/2542z9mo.default-release/cookies.sqlite-wal
Mozilla/Firefox/Profiles/2542z9mo.default-release/shield-preference-experiments.json
Mozilla/Firefox/Crash Reports/InstallTime20201027185343
The description of the challenge says:
A potential insider threat has been reported, and we need to find out what they accessed. Can you help?
File inspection
We can start by reading those files that appear interesting and SQLite3 database files:
$ cat Mozilla/Firefox/Crash\ Reports/InstallTime20201027185343
1604494987
$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/search.json.mozlz4
mozLz40��){"version":6,"buildID":"20201027185343","locale":"en-US",�!tInEngineList":[{"id":"google@search.mozilla.orgH�default"},6�amazondotcom<�wikipedia9Obing4/dd3A],"e!s@_namDG!�","_isAppProvided":true,"_metaData":{} 8A#O.com<W#_ (en)@0Bin��@Duck/Gor7],"�"useSavedOrder":false}}
$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/sessionCheckpoints.json | jq
{
"profile-after-change": true,
"final-ui-startup": true,
"sessionstore-windows-restored": true
}
$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/addons.json | jq
{
"schema": 6,
"addons": []
}
$ sqlite3 Mozilla/Firefox/Profiles/2542z9mo.default-release/key4.db
SQLite version 3.39.5 2022-10-14 20:58:05
Enter ".help" for usage hints.
sqlite> .tables
metaData nssPrivate
sqlite> select * from metaData;
0`0Aword*�H���.�m����|0��0m *�H��
04 $��54pO�X&/���h��*��u�
�Z 0
*�H�� 0 `�He*��Mt�=uF�!�DfP�=�Zd��(U�[c[
0O0Akey_*�H��5fb_00000011|0��0\ *�H��
04 ��ڧ�ôhX]!?y
�U{ĂL�*��\�v 0
*�H�� 0
*�H�� /<�k��`�XG�_��o��TURjG}�ͤ�|
sqlite> select * from nssPrivate;
0`0A8415*�H���||0��0m *�H��
04 ����;��Ee�٨_���Xz^�(3�1�: 0
*�H�� 0 `�He*H����7[X���gSl ڕ�?u2U�֊,�]F���[g���9�Q<Z�|||||||||||||||||�|||||||||||�|�||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sqlite> .exit
Nothing seems to be useful. There’s yet another interesting file:
$ cat Mozilla/Firefox/Profiles/2542z9mo.default-release/logins.json | jq
{
"nextId": 2,
"logins": [
{
"id": 1,
"hostname": "http://acc01:8080",
"httpRealm": "Tomcat Manager Application",
"formSubmitURL": null,
"usernameField": "",
"passwordField": "",
"encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECF+d3kuwB9ZWBAj5QRmuUB+gqg==",
"encryptedPassword": "MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBqsTKru3+k8BBgCXKb5CRSS4SF6O3Dh4jUKFRBtxfiabQk=",
"guid": "{69f06e46-1ffa-42a0-9166-0ca4b8fac057}",
"encType": 1,
"timeCreated": 1604509320314,
"timeLastUsed": 1604509320314,
"timePasswordChanged": 1604509320314,
"timesUsed": 1
}
],
"potentiallyVulnerablePasswords": [],
"dismissedBreachAlertsByLoginGUID": {},
"version": 3
}
Decrypting Firefox credentials
Here we have the credential database of Firefox, but the stored credentials are encrypted. This is not a problem because there is an open-source tool called firepwd that can be used to decrypt Firefox credentials when we have access to all Firefox files. If we run it, we will decrypt the stored credentials:
$ git clone https://github.com/lclevy/firepwd
...
$ python3 firepwd/firepwd.py -d Mozilla/Firefox/Profiles/2542z9mo.default-release/
globalSalt: b'060837e7815de208d7d6ac8fbb2ee86da78ae9ce'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'2484933534704f8a13581f262f068216f99984e89768f7e02a8f9f759a0c8f5a'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'd6da114d74de3d7507468321fb44'
}
}
}
OCTETSTRING b'6650ff3d8a5a64b0e4281255e45b635b'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'f4fbf3e43b96b84565beeea6a8d9a85f9003d7da18587a125ee42833b731f93a'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'48baf2ffd7375b58b8d7cc67536c'
}
}
}
OCTETSTRING b'05da951f823f753255f7d68a2ce5865d46bebcb25b67e81fedd6399e513c5af2'
}
clearText b'c8e53851c7fed9a1260720791abf1526aeceae89ef079bb60808080808080808'
decrypting login/password pairs
http://acc01:8080:b'admin',b'HTB{ur_8RoW53R_H157Ory}'
Flag
And the flag is the password: HTB{ur_8RoW53R_H157Ory}.