Root-me.org

File - Insecure storage 1

Mozilla Firefox 14

In this challenge we need to find the user’s password. Once we download the file and decompress it we notice that it contains the configuration files for Mozilla Firefox.

So we need to find where and how Firefox encrypts/stores passwords. I really doubt it that it does not encrypt password.

After a quick research we learn that the users logins/passwords are store in a sqlite3 database found in .mozilla/firefox/o0s0xxhl.default/signons.sqlite.

file signons.sqlite 
signons.sqlite: SQLite 3.x database, user version 4, last written using SQLite version 3007007

sqlite3 signons.sqlite 

First step is done. Now let’s read the database file.

Sqlite3

Let’s find the tables

sqlite> .tables
moz_disabledHosts  moz_logins       

Let’s list what’s in moz_logins.

sqlite> select * from moz_logins;
1|http://www.root-me.org||http://www.root-me.org|var_login|password|MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGQiIGc9wcicBBDV2Zx+ouMBMu+QGgCAWJC8|MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECL6IksL4y0rsBBCwsrL8AoQSAbNEoOvkOfbA|{a5f14aac-a1c1-4206-89a6-7ff3bff1c9da}|1|1328566229026|1328566229026|1328566229026|1

It looks like passwords is encrypted (like expected). Let’s extract it.

We’ll find the name of the field.

.schema moz_logins
CREATE TABLE moz_logins (id                  INTEGER PRIMARY KEY,hostname            TEXT NOT NULL,httpRealm           TEXT,formSubmitURL       TEXT,usernameField       TEXT NOT NULL,passwordField       TEXT NOT NULL,encryptedUsername   TEXT NOT NULL,encryptedPassword   TEXT NOT NULL,guid                TEXT,encType             INTEGER,timeCreated         INTEGER,timeLastUsed        INTEGER,timePasswordChanged INTEGER,timesUsed           INTEGER);
CREATE INDEX moz_logins_hostname_index ON moz_logins(hostname);
CREATE INDEX moz_logins_hostname_formSubmitURL_index ON moz_logins(hostname, formSubmitURL);
CREATE INDEX moz_logins_hostname_httpRealm_index ON moz_logins(hostname, httpRealm);
CREATE INDEX moz_logins_guid_index ON moz_logins(guid);
CREATE INDEX moz_logins_encType_index ON moz_logins(encType);

It looks like that field is called encryptedPassword. Let’s take it out.

I had to sudo to give t he rights to sqlite3 to write in the folder

sudo sqlite3 signons.sqlite 

SQLite version 3.16.2 2017-01-06 16:32:41
Enter ".help" for usage hints.

sqlite> .output enc_passwd
sqlite> select encryptedPassword from moz_logins;
sqlite> .exit

We got out password now, but how do we decrypt it?

I found from the information on this post:

https://superuser.com/questions/633254/exactly-how-does-thunderbird-encrypt-usernames-and-passwords

Then i tried to look if someone has already done this before and found a script here:

https://github.com/nyov/python-ffpassdecrypt

He says that the required files are:

  • key3.db
  • signons.sqlite
  • cert8.db

Let’s make sure that we have those files.

ls key3.db signons.sqlite cert8.db 
cert8.db  key3.db  signons.sqlite

We’re good the only thing left to do is to try it. We need to point to the folder where the files are.

wget https://raw.githubusercontent.com/nyov/python-ffpassdecrypt/master/ffpassdecrypt.py

python ./ffpassdecrypt.py .mozilla/firefox/o0s0xxhl.default/
Profile directory: o0s0xxhl.default
--Site(http://www.root-me.org):
----Username shell1cracked
----Password F1rstP4sSw0rD

We got our password.