Link: https://app.hackthebox.eu/challenges/160
We are given the contents of a user’s Firefox folder. Per this article, we can search for browsing history in the places.sqlite file.
$ sqlite3 places.sqlite
sqlite> .tablesWe get 11 tables with the prefix of moz_.
One of them appears to show us history:
We can also run PRAGMA table_info(moz_places) to get column names. The most interesting is the http://acc01:8080/manager that gets visited. This is properly a reference to a local Apache Tomcat installation that uses /manager and /manager/html for the management dashboard. At the end, they also access the Roaming/Mozilla folder through the browser, which is the folder we have.
I checked the cookies.sqlite file, but it only had cookies relating to google.com
I also checked the formhistory.sqlite file which only contained the wsl on old windows google search.
We have a logins.json that also references that http://acc01:8080 and has the credentials saved:
{
"nextId":2,
"logins":[
{
"id":1,
"hostname":"http://acc01:8080",
"httpRealm":"Tomcat Manager Application",
"formSubmitURL":null,
"usernameField":"",
"passwordField":"",
"encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECF+d3kuwB9ZWBAj5QRmuUB+gqg==",
"encryptedPassword":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBqsTKru3+k8BBgCXKb5CRSS4SF6O3Dh4jUKFRBtxfiabQk=",
"guid":"{69f06e46-1ffa-42a0-9166-0ca4b8fac057}",
"encType":1,
"timeCreated":1604509320314,
"timeLastUsed":1604509320314,
"timePasswordChanged":1604509320314,
"timesUsed":1
}
],
"potentiallyVulnerablePasswords":[],
"dismissedBreachAlertsByLoginGUID":{},
"version":3
}We can use firefox_decrypt to decode the credentials like so:
And the Password is our flag!
