Challenge 4 of the Intro to Blue Team track.
Description:
A potential insider threat has been reported, and we need to find out what they accessed. Can you help?
Here we go!
This challenge provides us with an export of a Firefox profile.
A short overview of Firefox profiles:
All of the changes you make in Firefox, such as your home page, what toolbars you use, extensions you have installed, saved passwords and your bookmarks, are stored in a special folder called a _profile_. Your profile folder is stored in a separate place from the Firefox program so that, if something ever goes wrong with Firefox, your information will still be there. It also means that you can uninstall Firefox without losing your settings and you don’t have to reinstall Firefox to clear your information or troubleshoot a problem.
https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
A lot of information is stored in a profile. The profile is encrypted though, so we’ll need to find a way around that.
A quick Google search leads us right to the tool we need: https://github.com/unode/firefox_decrypt
Let’s clone it and see what we can do!
Make your way into the Mozilla/Firefox folder downloaded from HTB.
This is where the profiles.ini (configuration) file resides.
Run the firefox_decrypt.py script here.
We receive an error when running it on the first profile.
Selecting the second profile worked though and gave us the flag!
Kind of wish this one didn’t end so abruptly, but nonetheless…it was an informative challenge!
