Rootme Insecure Storage 1
Root-me.org
File - Insecure storage 1
Mozilla Firefox 14
In this challenge we need to find the user’s password. Once we download the file and decompress it we notice that it contains the configuration files for Mozilla Firefox.
So we need to find where and how Firefox encrypts/stores passwords. I really doubt it that it does not encrypt password.
After a quick research we learn that the users logins/passwords are store in a sqlite3 database found in .mozilla/firefox/o0s0xxhl.default/signons.sqlite.
file signons.sqlite
signons.sqlite: SQLite 3.x database, user version 4, last written using SQLite version 3007007
sqlite3 signons.sqlite
First step is done. Now let’s read the database file.
Sqlite3
Let’s find the tables
sqlite> .tables
moz_disabledHosts moz_logins
Let’s list what’s in moz_logins.
sqlite> select * from moz_logins;
1|http://www.root-me.org||http://www.root-me.org|var_login|password|MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGQiIGc9wcicBBDV2Zx+ouMBMu+QGgCAWJC8|MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECL6IksL4y0rsBBCwsrL8AoQSAbNEoOvkOfbA|{a5f14aac-a1c1-4206-89a6-7ff3bff1c9da}|1|1328566229026|1328566229026|1328566229026|1
It looks like passwords is encrypted (like expected). Let’s extract it.
We’ll find the name of the field.
.schema moz_logins
CREATE TABLE moz_logins (id INTEGER PRIMARY KEY,hostname TEXT NOT NULL,httpRealm TEXT,formSubmitURL TEXT,usernameField TEXT NOT NULL,passwordField TEXT NOT NULL,encryptedUsername TEXT NOT NULL,encryptedPassword TEXT NOT NULL,guid TEXT,encType INTEGER,timeCreated INTEGER,timeLastUsed INTEGER,timePasswordChanged INTEGER,timesUsed INTEGER);
CREATE INDEX moz_logins_hostname_index ON moz_logins(hostname);
CREATE INDEX moz_logins_hostname_formSubmitURL_index ON moz_logins(hostname, formSubmitURL);
CREATE INDEX moz_logins_hostname_httpRealm_index ON moz_logins(hostname, httpRealm);
CREATE INDEX moz_logins_guid_index ON moz_logins(guid);
CREATE INDEX moz_logins_encType_index ON moz_logins(encType);
It looks like that field is called encryptedPassword. Let’s take it out.
I had to sudo to give t he rights to sqlite3 to write in the folder
sudo sqlite3 signons.sqlite
SQLite version 3.16.2 2017-01-06 16:32:41
Enter ".help" for usage hints.
sqlite> .output enc_passwd
sqlite> select encryptedPassword from moz_logins;
sqlite> .exit
We got out password now, but how do we decrypt it?
I found from the information on this post:
https://superuser.com/questions/633254/exactly-how-does-thunderbird-encrypt-usernames-and-passwords
Then i tried to look if someone has already done this before and found a script here:
https://github.com/nyov/python-ffpassdecrypt
He says that the required files are:
- key3.db
- signons.sqlite
- cert8.db
Let’s make sure that we have those files.
ls key3.db signons.sqlite cert8.db
cert8.db key3.db signons.sqlite
We’re good the only thing left to do is to try it. We need to point to the folder where the files are.
wget https://raw.githubusercontent.com/nyov/python-ffpassdecrypt/master/ffpassdecrypt.py
python ./ffpassdecrypt.py .mozilla/firefox/o0s0xxhl.default/
Profile directory: o0s0xxhl.default
--Site(http://www.root-me.org):
----Username shell1cracked
----Password F1rstP4sSw0rD
We got our password.