HTB-Ambassador's CTF-firensics
Shreyas D R5 min read
Inside the file we had several files , but for some reason it almost felt like a plugin of sort?. I was close but then I realized, why would you create a folder named extension?
Anyway I searched for saved-telemetry-pings, which made me understand that it was firefox indeed.
So again a quick google search led me to a github repo for firefed:
https://github.com/numirias/firefed
From here it was just studying documentation to get the creds:
I used -p . history to fetch browser history. Which gave me the following output:
PS C:\Users\LENOVO\Downloads\firensics\3x6l3w88.default-release> firefed -p . history
https://support.mozilla.org/en-US/products/firefox
Title: None
Last visit: 1970-01-01 05:30:00
Visits: 0
https://www.mozilla.org/en-US/firefox/central/
Title: None
Last visit: 1970-01-01 05:30:00
Visits: 0
ftp://rick%2Ea:r0llr1ck0202!@ftp.megacorp.local/
Title: None
Last visit: 1970-01-01 05:30:00
Visits: 0
https://files.megacorp.local/
Title: None
Last visit: 1970-01-01 05:30:00
Visits: 0
ftp://rick:6vMMFPQpSdQLPpa7@ftp.megacorp.local/
Title: None
Last visit: 1970-01-01 05:30:00
Visits: 0
https://www.mozilla.org/privacy/firefox/
Title: None
Last visit: 2020-12-04 11:18:18
Visits: 1
https://www.mozilla.org/en-US/privacy/firefox/
Title: Firefox Privacy Notice — Mozilla
Last visit: 2020-12-04 11:18:18
Visits: 1
https://travisscott.com/
Title: None
Last visit: 2020-12-04 11:22:08
Visits: 1
https://www.travisscott.com/
Title: TRAVIS SCOTT
Last visit: 2020-12-04 11:22:08
Visits: 1
https://fkatwi.gs/
Title: FKA twigs
Last visit: 2020-12-04 11:22:09
Visits: 1
https://drakeofficial.com/
Title: None
Last visit: 2020-12-04 11:22:11
Visits: 1
https://www.drakerelated.com/
Title: None
Last visit: 2020-12-04 11:22:14
Visits: 1
https://drakerelated.com/
Title: Drake Related – The Official Website of Drake
Last visit: 2020-12-04 11:22:15
Visits: 1
https://good-music.com/
Title: GOOD MUSIC
Last visit: 2020-12-04 11:22:15
Visits: 1
https://hypebeast.com/music
Title: Music | HYPEBEAST
Last visit: 2020-12-04 11:22:19
Visits: 1
https://tankmagazine.com/
Title: TANK MAGAZINE
Last visit: 2020-12-04 11:22:22
Visits: 1
https://pastebin.com/login
Title: Pastebin.com - Login Page
Last visit: 2020-12-04 11:23:37
Visits: 1
https://www.mozilla.org/en-US/contribute/
Title: Volunteer Opportunities at Mozilla — Mozilla
Last visit: 2020-12-04 11:37:32
Visits: 1
https://www.mozilla.org/en-US/about/
Title: Learn About Mozilla — Mozilla
Last visit: 2020-12-04 11:37:32
Visits: 1
https://support.mozilla.org/en-US/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-browser&utm_medium=default-bookmarks&utm_campaign=customize
Title: Customize Firefox controls, buttons and toolbars | Firefox Help
Last visit: 2020-12-04 11:37:33
Visits: 1
https://pastebin.com/u/ashrick
Title: Ashrick's Pastebin - Pastebin.com
Last visit: 2020-12-04 11:37:56
Visits: 2
https://pastebin.com/
Title: Pastebin.com - #1 paste tool since 2002!
Last visit: 2020-12-04 11:37:59
Visits: 3
https://pastebin.com/site/logout
Title: None
Last visit: 2020-12-04 11:37:59
Visits: 1
https://pastebin.com/ViYVbkRq
Title: Pastebin.com - Locked Paste
Last visit: 2020-12-04 11:38:07
Visits: 2
https://trackthis.link/
Title: Track This | A new kind of Incognito
Last visit: 2020-12-04 11:38:27
Visits: 1
https://www.supremenewyork.com/shop
Title: Supreme
Last visit: 2020-12-04 11:38:32
Visits: 2
https://www.flightclub.com/
Title: Attention Required! | Cloudflare
Last visit: 2020-12-04 11:38:34
Visits: 2
https://stockx.com/
Title: StockX: Sneakers, Streetwear, Trading Cards, Handbags, Watches
Last visit: 2020-12-04 11:38:34
Visits: 2
https://www.goat.com/
Title: GOAT: Buy and Sell Authentic Sneakers
Last visit: 2020-12-04 11:38:36
Visits: 1
https://www.stadiumgoods.com/
Title: Stadium Goods
Last visit: 2020-12-04 11:38:37
Visits: 1
https://shop.doverstreetmarket.com/us/
Title: DSM New York
Last visit: 2020-12-04 11:38:39
Visits: 1
https://kith.com/pages/shop-treats
Title: Shop Treats – Kith
Last visit: 2020-12-04 11:38:40
Visits: 1
https://www.footlocker.com/
Title: #becausesneakers | Sneakers, Apparel & More | Foot Locker
Last visit: 2020-12-04 11:38:41
Visits: 1
https://www.zumiez.com/odd-future-donut-allover-light-blue-crew-socks.html
Title: Odd Future Donut Allover Light Blue Crew Socks | Zumiez
Last visit: 2020-12-04 11:38:42
Visits: 1
https://us.octobersveryown.com/
Title: OCTOBER'S VERY OWN - USA – October's Very Own Online US
Last visit: 2020-12-04 11:38:43
Visits: 1
https://www.a-cold-wall.com/department/all/
Title: None
Last visit: 2020-12-04 11:38:45
Visits: 1
https://www.grailed.com/
Title: Grailed: Largest Online Marketplace to Buy & Sell Menswear
Last visit: 2020-12-04 11:38:45
Visits: 1
https://kinfolk.com/
Title: None
Last visit: 2020-12-04 11:38:46
Visits: 2
https://www.kicksonfire.com/
Title: KicksOnFire.com • Sneaker News & Release Dates
Last visit: 2020-12-04 11:38:47
Visits: 2
https://www.nike.com/us/en_us/c/jordan
Title: None
Last visit: 2020-12-04 11:38:47
Visits: 2
https://a-cold-wall.com/department/all
Title: None
Last visit: 2020-12-04 11:38:47
Visits: 1
https://a-cold-wall.com/
Title: A-COLD-WALL* Official Site | ACW
Last visit: 2020-12-04 11:38:47
Visits: 1
https://www.nike.com/jordan
Title: Jordan. Nike.com
Last visit: 2020-12-04 11:38:48
Visits: 2
https://www.kinfolk.com/
Title: Kinfolk
Last visit: 2020-12-04 11:38:48
Visits: 2
https://13month.com/product/collection_list.html?cate_no=103
Title: 페이지를 찾을 수 없습니다.
Last visit: 2020-12-04 11:38:49
Visits: 2
https://dbtkco.com/
Title: Don't Blame the Kids Apparel Co. | DBTK – Don't Blame The Kids Apparel
Last visit: 2020-12-04 11:38:50
Visits: 2
https://have-a-good-time.us/
Title: have a good time nyc – haveagoodtimenyc
Last visit: 2020-12-04 11:38:50
Visits: 2
https://shop.kanyewest.com/password
Title: KANYE WEST
Last visit: 2020-12-04 11:38:50
Visits: 2
https://canary---yellow.com/
Title: Virgil Abloh™
Last visit: 2020-12-04 11:38:51
Visits: 2
https://unhappy.com/
Title: Unhappy
Last visit: 2020-12-04 11:38:51
Visits: 2
https://www.youngmoney.com/
Title: None
Last visit: 2020-12-04 11:38:52
Visits: 2
https://www.canadagoose.com/ca/en/home-page
Title: Extreme Weather Outerwear | Since 1957 | Canada Goose®
Last visit: 2020-12-04 11:38:53
Visits: 1
https://getpocket.com/explore/best-of-2020?utm_source=pocket-newtab-intl-en
Title: Best articles of 2020 - Pocket
Last visit: 2020-12-04 11:42:33
Visits: 1
http://reddit.com/
Title: None
Last visit: 2020-12-04 11:42:37
Visits: 1
https://reddit.com/
Title: None
Last visit: 2020-12-04 11:42:37
Visits: 1
https://www.reddit.com/
Title: reddit: the front page of the internet
Last visit: 2020-12-04 11:42:38
Visits: 1
The notable url here is the paste bin : https://pastebin.com/ViYVbkRq
The url led me to a locked webpage:
The input used :
<input type="password" id="postpasswordverificationform-password" class="form-control" name="PostPasswordVerificationForm[password]" aria-required="true">
Which confirmed that it used forms and ofc I tried searching using forms so I used the command :
firefed -p . forms
This gave us the creds:
PS C:\Users\LENOVO\Downloads\firensics\3x6l3w88.default-release> firefed -p . forms
pid=eded09ed-efe3-4a7b-8ca1-eff4913afb9e
pnid=140
cb=1607061094086
gprid=Eu
c=1
px=6591cbc3bde6a0
cMultiData={"75ea8421c3c4d0":["UserVisited"]}
LoginForm[username]=rick.ash12@outlook.com
LoginForm[username]=ashrick
PostForm[password]=r0llr1ck0202!
PostForm[name]=Sekret
pid=21ce3b95-862d-4885-97f8-b88115a24bc3
ev=PAGE_VIEW
pl=https://www.goat.com/
ts=1607062131152
v=1.5
if=false
bt=__LIVE__
u_c1=9bea8dfb-d958-488f-8c43-12275fa434da
m_sl=1871
m_rd=15681
m_pi=3944
m_pl=13547
m_ic=0
ev=SIGN_UP
ts=1607062131154
m_rd=15682
cb=1607062131156
cb=1607062138363
origin=https://mail.megacorp.local
username=rick.a
We had already seen a url in paste bin with /ashrick and ofcourse we saw the method so , the password only felt valid to be with PostForm[password]=r0llr1ck0202!
using the creds in the URL we got the flag:
This was fun . See you guys in the next writeup !!
0
Subscribe to my newsletter
Read articles from Shreyas D R directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by