Extracting saved credentials from firefox browser by dencrypting profiles
In this blog we will perform forensics analysis on firefox profiles by decrypting it and extracting saved credentials. For this we will solve a challenge from HackTheBox called "Insider"
What are Firefox profiles ?
From the official documentation :
All of the changes you make in Firefox, such as your home page, what toolbars you use, extensions you have installed, saved passwords and your bookmarks, are stored in a special folder called a profile. Your profile folder is stored in a separate place from the Firefox program so that, if something ever goes wrong with Firefox, your information will still be there. It also means that you can uninstall Firefox without losing your settings and you don't have to reinstall Firefox to clear your information or troubleshoot a problem
Decrypting Profiles
Now we will see an example challenge solution. First download and unzip the files required
root@kali ~/h/r/insider# ls Mozilla/
Extensions/ Firefox/ SystemExtensionsDev/
We see that these files are from the firefox browser. Checking the structure of file system
root@kali ~/h/r/i/Mozilla# ls Firefox/Profiles/
2542z9mo.default-release/ yodxf5e0.default/
There are two profiles in it. We can use a tool called firefox_decrypt
https://github.com/unode/firefox_decrypt.git
Clone this repo. Now to run the script we just need to provide the path to the profile you want to decrypt. Decrypting profile -> 2542z9mo.default-release
root@kali ~/h/r/i/firefox_decrypt (master)# python3 firefox_decrypt.py /root/hackthebox/insider/Mozilla/Firefox/Profiles/2542z9mo.default-release/
2022-06-28 06:06:00,016 - WARNING - profile.ini not found in /root/hackthebox/rabbit/insider/Mozilla/Firefox/Profiles/2542z9mo.default-release/
2022-06-28 06:06:00,017 - WARNING - Continuing and assuming '/root/hackthebox/rabbit/insider/Mozilla/Firefox/Profiles/2542z9mo.default-release/' is a profile location
Website: http://acc01:8080
Username: 'admin'
Password: 'HTB{ur_8RoW53R_H157Ory}'