imaginaryCTF

Mozilla Passwd [100 pts]

password + browser ≠ safe with milk and….

Attachments: https://cybersharing.net/s/73ca739f342e291d

Author: lolmenow

Find the challenge @ imaginaryCTF and solve it!

Solution

Based on the title and the files contained, we seem to have firefox profiles with saved passwords.

A tool can be used to extract these passwords, specifically: https://github.com/unode/firefox_decrypt

Using this tool, we get a profile name of ctfer, however we can’t yet get the password because of a prompt asking for a primary password.

┌──(shell㉿DESKTOP-J07EICU)-[~/ctf/test]
└─$ python3 test.py /home/shell/ctf/test/Firefox/
Select the Mozilla profile you wish to decrypt
1 -> Profiles/e6tewp20.ctfer
2 -> Profiles/mmaz16f1.default
3 -> Profiles/7gfz3vtw.default-release
1

Primary Password for profile /home/shell/ctf/shell/Firefox/Profiles/e6tewp20.ctfer:
2024-08-30 22:09:54,305 - ERROR - Primary password is not correct

With some googling, we see that a primary password is an added layer of safety so that passwords cannot be easily extracted if the OS/hard drive was taken over.

Doing some more analysis on the folder, we see many sqlite databases. Going through these, one sparks something interesting at cookies.sqlite

└─$ sqlite3
SQLite version 3.46.0 2024-05-23 13:25:27
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> attach "cookies.sqlite" as db1;
sqlite> .tables
db1.moz_cookies
sqlite> SELECT * FROM db1.moz_cookies;
1||AEC|AVYB7cpl2yt9CMoyt07MDUfvdVtU3Nqh6nUNdRWiMod_5x_b3inhCJ1cxA|.google.com|/|1740621570|1725069570168000|1725069570168000|1|1|0|1|1|2|0
5||edgebucket|A5PF5Ev6gx5gpxkvvF|.reddit.com|/|1788141575|1725069576095000|1725069576095001|1|0|0|1|0|2|0
6||loid|0000000017s7abxcgd.2.1725069576466.Z0FBQUFBQm0wbmtJdVI3MGIyVWdUaXE5NlFwZU1ZcEtZamgwSjdhaG1HbWtzZk11UGl3dmhEQ3B6N1RBd1RBdkdDbXNic3U4RjFWSEpHc2VrZGlfdFF1dzVjRWtvUzBvVzFMbzY2blFmVVF4RUVEWkZDMHBaRGhhTVdfNGx4RThkZ3FDYVptX2hJREE|.reddit.com|/|1788141576|1725069576387000|1725069576387000|1|0|0|0|0|2|0
7||token_v2|eyJhbGciOiJSUzI1NiIsImtpZCI6IlNIQTI1NjpzS3dsMnlsV0VtMjVmcXhwTU40cWY4MXE2OWFFdWFyMnpLMUdhVGxjdWNZIiwidHlwIjoiSldUIn0.eyJzdWIiOiJsb2lkIiwiZXhwIjoxNzI1MTU1OTc2LjQ2NjQ4LCJpYXQiOjE3MjUwNjk1NzYuNDY2NDgsImp0aSI6Inh3ZmdlV1prT2x5MGJxTTQ1Y1dGOFh2R0xfRDAwQSIsImNpZCI6IjBSLVdBTWh1b28tTXlRIiwibGlkIjoidDJfMTdzN2FieGNnZCIsImxjYSI6MTcyNTA2OTU3NjQ2Niwic2NwIjoiZUp4a2tkR090REFJaGQtbDF6N0JfeXBfTmh0c2NZYXNMUWFvazNuN0RWb2NrNzA3Y0w0aUhQOG5LSXFGTEUydUJLR2tLV0VGV3RPVU5pTHY1OHk5T1pFRlN5RlRSODQzeXdva2FVcFBVbU41cHlsUndXWmtMbGZhc1VLREI2WXBWUzZaMjBLUFM1dlEzSTFGejA2TXFseFdIdFRZbzNKcGJHTUsyeFBqemNacVF5cXV5NmxNWUZrb244V0xmdnlHLXRZLWY3YmZoSFl3cktnS0RfVE91Rnh3WV9IREZIYl9ucHIwYkYyd3FMM1hnOVEtMS1OMjdiTm1vZG01X1Z6UHZ6YVNjVG1HNWlmWXY3dC1DUjE0NUhtWlVRY3dZZzBfeXJBajZfQ3ZPb0RLQlFXTUpZaFBJNUFybDJfX0pkaXVUZjhhdHlkLS1HYkVUV180clJtbzV4TEVvVV9qNnpjQUFQX19YRF9lNHciLCJmbG8iOjF9.FWLdmXn5LVh2fFUa4MipM9aZyqopAsDfcQzZyt51OlS1_gPZ8sAM5Q76UJDtHmLp5GQzQ63lnGjQNqLrmi8Ug0IfyG-DhwJcW0-EsEDvZbMvfcfTTDTLJjRT6EpB9u1OmPMNvAx7QG3PPt6FtiQ1yNdxPTyO2HNj8jmgSvQJVPNW5JKqGIqAGRXx8msbef5RJkQwm3T7isru6bw8GGpATNac-wKGTNaJapK7q8mOrpZyzbSEb16DhZmd5yk9jK4UZF8uGVNZSujE1Eq2RIdo0fNAzxDD5zsVj8Jtdj2KMojVFhCdgtW6RdEFVDUB7uP5nMI9zICkyq5ecbYE_TE7dA|.reddit.com|/|1725155976|1725069576388000|1725069576388002|1|1|0|1|0|2|0
8||csv|2|.reddit.com|/|1788141576|1725069576388000|1725069576388004|1|0|0|0|0|2|0
9||NID|517=54yMOR8nqhZRKLY079WKjRjbTSvX6YJ1rNpdI_UU-LhM1VJTnrAgEEwnpM7R2toKm75l_2g869F8rLvSYWf4L9_y9jBMNZIJlCka69dzEPhd86KUV2aE1ZCKQVgYSkyWAk4xUjobZ2BIHFMTfKAXSoJJH9I-jPwbUJ8xMp0ZNtiU2rnUzhmiRUhO80_cL6GzsdkP5atjfDva5dSQIJI|.google.com|/|1740880780|1725069580856000|1725069570168001|1|1|0|0|0|2|0
10||DV|oxEN7Rqa9IgdIDlq9acmfs4yjo1iGhk|www.google.com|/|1725070182|1725069582200000|1725069572798001|0|0|0|1|0|2|0
11|^partitionKey=%28https%2Cgoogle.com%29|VISITOR_INFO1_LIVE|kQUtLbEt2Iw|.youtube.com|/|1740621582|1725069767693000|1725069582769001|1|1|0|0|0|2|0
12|^partitionKey=%28https%2Cgoogle.com%29|VISITOR_PRIVACY_METADATA|CgJVUxIEGgAgaA%3D%3D|.youtube.com|/|1740621582|1725069767693000|1725069582769002|1|1|0|0|0|2|0
13||GPS|1|.youtube.com|/|1725071385|1725069739433000|1725069584955000|1|1|0|1|0|2|0
14||VISITOR_INFO1_LIVE|4vPPyqCWvAI|.youtube.com|/|1740621585|1725069739433000|1725069584956001|1|1|0|0|0|2|0
15||VISITOR_PRIVACY_METADATA|CgJVUxIEGgAgXw%3D%3D|.youtube.com|/|1740621585|1725069739433000|1725069584956002|1|1|0|0|0|2|0
16|^partitionKey=%28https%2Cyoutube.com%29|__Host-GAPS|1:5lwBUIOGf1ZS7nfZPaxsnJkURLi__Q:do773gSeQ6rAZWf1|accounts.google.com|/|1788141585|1725069585797000|1725069585797000|1|1|0|1|0|2|0
19|^partitionKey=%28https%2Cyoutube.com%29|NID|517=jf1r7TBjfeIsC6eTDwxRWTV7nrTXvhPCcMxnDfwt8RxHWLOdnkYz4CzM0MMM2U1FtbCR01yXvdwO9pNvH2woiEX3JB7JPNZm0YuBT-jpJgMTkdESR7pyPmNxcpe-z9uwh_EIYhfymlwdeu5BO7MlvN0SLL7_1_RArVCVRTchqnvYT4s|.google.com|/|1740880788|1725069588325000|1725069587802000|1|1|0|0|0|2|0
20|^partitionKey=%28https%2Creddit.com%29|_GRECAPTCHA|09AFwEUIK_npDkdzhfqeTJdwXFw-azU4LfpGzteR3YEA3rjJry_jwBoarCcQ2qihXYktFzQjj7rr35UKt7fdG9qXM|www.google.com|/recaptcha|1740621591|1725069591423000|1725069591423000|1|1|0|0|0|2|0
21||guest_id_marketing|v1%3A172506959197603830|.twitter.com|/|1788141591|1725069591890000|1725069591890000|1|0|0|0|0|2|0
22||guest_id_ads|v1%3A172506959197603830|.twitter.com|/|1788141591|1725069591890000|1725069591890001|1|0|0|0|0|2|0
23||personalization_id|"v1_zHc6hUf95Xmtl/XNBsnlMA=="|.twitter.com|/|1788141591|1725069591890000|1725069591890002|1|0|0|0|0|2|0
24||guest_id|v1%3A172506959197603830|.twitter.com|/|1788141591|1725069591890000|1725069591890003|1|0|0|0|0|2|0
31||guest_id|v1%3A172506959197603830|.x.com|/|1756605592|1725069592964000|1725069592257002|1|0|0|0|0|2|0
33||guest_id_marketing|v1%3A172506959197603830|.x.com|/|1788141593|1725069593209000|1725069592256000|1|0|0|0|0|2|0
34||guest_id_ads|v1%3A172506959197603830|.x.com|/|1788141593|1725069593209000|1725069592257000|1|0|0|0|0|2|0
35||personalization_id|"v1_SSa+AOkt11PWFeEUb0OIBg=="|.x.com|/|1788141593|1725069593209000|1725069592257001|1|0|0|0|0|2|0
36||gt|1829700605327159601|.x.com|/|1725078593|1725069593209000|1725069593209003|1|0|0|1|0|2|0
37||night_mode|2|.x.com|/|1756605594|1725069594131000|1725069592964004|1|0|0|0|0|2|0
38||PREF|tz=America.New_York|.youtube.com|/|1788141596|1725069739433000|1725069586981000|1|0|0|1|0|2|0
39|^partitionKey=%28https%2Cgoogle.com%29|NID|517=tN_J66tZzuF4jOfd0oDGMoqT61mqUvHzTQVqTI2OPEgEVnXMZPK63Yu_KM2crAQX_0IrSj7gkLPIiuSWXxSVlVgm-aoFS1jTbSFVWTEX3sAI7TGwj_q2TZBVUIQXFs9HEG1v6vEILF4l4jMGjZVB3bLtaV8X4nSU4s4NG2UcIWLZwgbo|.google.com|/|1740880817|1725069616944000|1725069586011000|1|1|0|0|0|2|0
40||WMF-Last-Access|31-Aug-2024|www.wikipedia.org|/|1727827200|1725069721569000|1725069721569000|1|1|0|1|0|2|0
41||WMF-Last-Access-Global|31-Aug-2024|.wikipedia.org|/|1727827200|1725069721569000|1725069721569001|1|1|0|1|0|2|0
42||NetworkProbeLimit|0.001|www.wikipedia.org|/|1725073323|1725069723443000|1725069721569003|1|0|0|1|1|2|0
43||{19827430-744b-46e2-a4a5-e8cf76bdde9f}|value|www.wikipedia.org|/|1725156131|1725069731927000|1725069731927000|0|0|0|1|1|2|0
44||hash|value|demo.ctfd.io|/|1725156143|1725069747099000|1725069747099000|0|0|0|0|0|2|0
46||hash|$2y$10$GL1XvzQARmqZFMXL9w4pfeyxAxogSKalgOcNA50IVDx.7tmtQVJpG|imaginaryctf.org|/|1725156165|1725069780287000|1725069769128000|0|0|0|0|0|2|0
47||cookieyes-consent|consentid:bUY5Z0U3Wm1MM0czTFp5V0xzaFZsWEJVaGM3djV6MWw,consent:no,action:,necessary:yes,functional:no,analytics:no,performance:no,advertisement:no,other:no|.imaginaryctf.org|/|1756605788|1725069788693000|1725069762099001|1|0|0|2|2|2|0
sqlite>

At the 46th cookie, we see a hash at imaginaryctf.org This seems like a bcrypt hash! Lets decrypt it using rockyou.txt

hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt

We get: $2y$10$GL1XvzQARmqZFMXL9w4pfeyxAxogSKalgOcNA50IVDx.7tmtQVJpG:alaska

That should be our primary password! Lets test it:

└─$ python3 test.py /home/shell/ctf/test/Firefox/
Select the Mozilla profile you wish to decrypt
1 -> Profiles/e6tewp20.ctfer
2 -> Profiles/mmaz16f1.default
3 -> Profiles/7gfz3vtw.default-release
1

Primary Password for profile /home/shell/ctf/test/Firefox/Profiles/e6tewp20.ctfer:

Website:   https://demo.ctfd.io
Username: 'imaginaryctf@imaginary.org'
Password: 'ictf{lAdI3s_AND_GeNt1eM3n,_TH!$_1s_why_wE_D0Nt_U$e_Pas$WoRD_M@N@geRs!}'

And we see our flag!

____

19 September 2024

Tags: Forensics

Share this writeup: