Heist_Automated

PEAS

---

No AV

UAC

PEAS also discovered that there is Firefox installed in the target system It also found the credential file!

*evil-winrm* ps c:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default> ls
 
 
    directory: C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/11/2023   1:23 PM                bookmarkbackups
d-----        1/11/2023   1:16 PM                crashes
d-----        1/11/2023   3:20 PM                datareporting
d-----        4/22/2019   8:01 AM                extensions
d-----        4/22/2019   8:15 AM                features
d-----        4/22/2019   8:31 AM                gmp
d-----        4/22/2019   8:07 AM                gmp-gmpopenh264
d-----        4/22/2019   8:07 AM                gmp-widevinecdm
d-----        4/22/2019   8:01 AM                minidumps
d-----        1/11/2023   2:21 PM                saved-telemetry-pings
d-----        8/27/2019   3:04 PM                sessionstore-backups
d-----        2/18/2021   4:17 PM                storage
d-----        4/22/2019   8:28 AM                weave
-a----        1/11/2023   1:26 PM             45 addons.json
-a----        1/11/2023   1:15 PM           1911 addonStartup.json.lz4
-a----       12/22/2021   7:27 PM              0 AlternateServices.txt
-a----        1/11/2023   1:16 PM            216 broadcast-listeners.json
-a----        2/18/2021   4:02 PM         229376 cert9.db
-a----        2/18/2021   4:17 PM            199 compatibility.ini
-a----        4/22/2019   8:01 AM            939 containers.json
-a----        4/22/2019   8:01 AM         229376 content-prefs.sqlite
-a----        2/18/2021   4:17 PM         524288 cookies.sqlite
-a----        1/11/2023   1:15 PM          32768 cookies.sqlite-shm
-a----        1/11/2023   1:15 PM              0 cookies.sqlite-wal
-a----        2/18/2021   4:17 PM           1020 extension-preferences.json
-a----        1/11/2023   1:30 PM          68331 extensions.json
-a----        4/22/2019   8:29 AM        5242880 favicons.sqlite
-a----        1/11/2023   1:15 PM          32768 favicons.sqlite-shm
-a----        1/11/2023   1:15 PM              0 favicons.sqlite-wal
-a----        4/22/2019   8:29 AM         196608 formhistory.sqlite
-a----        2/18/2021   4:17 PM            588 handlers.json
-a----        4/22/2019   8:29 AM         294912 key4.db
-a----        1/11/2023   1:15 PM              0 parent.lock
-a----        2/18/2021   4:17 PM          98304 permissions.sqlite
-a----        4/22/2019   8:01 AM            505 pkcs11.txt
-a----       12/22/2021   6:51 PM        5242880 places.sqlite
-a----        1/11/2023   1:15 PM          32768 places.sqlite-shm
-a----        1/11/2023   1:16 PM        1278920 places.sqlite-wal
-a----        1/11/2023   3:16 PM          10638 prefs.js
-a----       12/22/2021   5:48 PM          65536 protections.sqlite
-a----        7/30/2019   2:40 PM          53492 revocations.txt
-a----        1/11/2023   1:15 PM           2404 search.json.mozlz4
-a----       12/22/2021   7:27 PM              0 SecurityPreloadState.txt
-a----        1/11/2023   1:15 PM             90 sessionCheckpoints.json
-a----        2/18/2021   4:17 PM            399 shield-preference-experiments.json
-a----       12/22/2021   7:27 PM           1117 SiteSecurityServiceState.txt
-a----        1/11/2023   1:16 PM           4096 storage.sqlite
-a----        4/22/2019   8:01 AM             50 times.json
-a----       12/22/2021   7:27 PM              0 TRRBlacklist.txt
-a----        4/22/2019   8:29 AM          98304 webappsstore.sqlite
-a----        1/11/2023   1:15 PM          32768 webappsstore.sqlite-shm
-a----        1/11/2023   1:15 PM              0 webappsstore.sqlite-wal
-a----       12/22/2021   7:27 PM            604 xulstore.json

I can see the key4.db file, but thelogins.json or signons.sqlite file is missing without thelogins.json or signons.sqlite file, i cannot extract firefox credential via firepwd.py