cursed credential
2025-01-13 05:11:22 # Backdoor-CTF-2024

I forgot my Browser’s saved password although a friend of mine tells that I can find it if I know my master key. The problem is I dont even remember that, hopefully you can rock your brain and help me out.

Author: W01f

chal.zip

firefox will rock your world

We’re provided 3 files:

  • cert9.db
  • key4.db
  • logins.json

A little bit of research tells us that these files are typical of a Firefox profile:

  • cert9.db stores Firefox certificates
  • key4.db stores information regarding the master password, which basically requires the user to input a password to view the saved website passwords
  • logins.db stores encrypted website passwords, decrypted using the master password

After backing up my own versions of these files, I copied the challenge files into my local Firefox profile, which can be accessed by navigating to about:support on Firefox and going to Application Basics -> Profile Folder -> Open Folder. Opening up Firefox, however, I found that the password manager was protected by a master password (as explained in the challenge statement).

Seeing this, I realized that I likely had to crack the master password. The challenge description gave a hint towards this, saying “hopefully you can rock your brain and help me out.” This is evidently a reference to the rockyou.txt password wordlist!

tool searching galore yay fun

I started doing some research into tools that could crack the Firefox master password. The first one I stumbled across was FireMaster. However, this tool proved to be way too slow (it would probably take at least a day to process the entire rockyou.txt wordlist!), so I kept looking. I soon realized that hashcat had a hash mode for this, so I simply needed to extract the password from key4.db.

Unfortunately, there seemed to be limited resources describing how to do this. Although FireMaster is open-source, I couldn’t seem to find the source code of it, as I would have liked to see how FireMaster extracted the hashed master password. I read through this article, but the method it described for extracting the master password failed for me. I found this tweet linking to a tool called Firepwd.py, which ultimately did not help me extract the master password, and a hashcat commit that added support for the Firefox master password. This commit wasn’t useful for finding out how to extract the passwords, but it did provide some information that would become useful in the future: the code in line 83 of tools/test_modules/m26100.pm showed how the hash should be formatted, based on the two salts, iteration number (which I guessed was just 10000 since that’s what it was on the hash mode example database for Mozilla key4.db), IV, and ciphertext.

tysm random github user i love you

I, of course, looked at John the Ripper as well, but, unfortunately, it only worked for key3.db, as written here. I still tried it locally on the key4.db, but to no avail. Later, however, I found an issue on the Github repo that described the exact same problem. AlbertVeli actually made his own Python program to do exactly that! Well, at least mostly. It didn’t exactly reconstruct the master password hash in the form hashcat wanted it to be in.

FYI, here’s that program: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
#!/usr/bin/env python3

# Helper for cracking Mozilla key4.db password database master password.
#
# Algorithm:
# * 20 byte db_salt and ~133 byte DER-encoded ciphertext
#   are extracted from key4.db
# * The ciphertext is then decoded and a number of parameters
#   extracted from it:
#   - Algorithm OIDs, only pbkdf2_hmac_sha256 supported right now
#   - Salt for pbkdf2_hmac
#   - encryption algorithm (only aes256-cbc supported right now)
#   - IV for AES decryption
#   - Ciphertext for AES
# * Loop pw candidates in john, for each pw:
#   - AES_key = pbkdf2_hmac_sha256(sha1(db_salt + pw), decoded_salt, iterations)
# * Decrypt the AES ciphertext with the key and IV
# * If the decrypted result is b'password-check' then
#   the guessed password was correct.

import sys
import sqlite3
import hashlib
import binascii

try:
    import asn1
except:
    print('module asn1 not found, try: pip install asn1')
    exit(1)

# The following imports are just for the test at the end
import hmac
from Crypto.Cipher import AES

oids = []
bstrings = []
ints = []

def recurse_asn1(input_stream):
    """
    Recurse through ASN.1 structure and save
    interesting values in global variables
    """
    global oids, bstrings, ints

    while not input_stream.eof():
        tag = input_stream.peek()
        if tag.typ == asn1.Types.Primitive:
            tag, value = input_stream.read()
            if tag.nr == 6:
                # oid
                oids.append(value)
            elif tag.nr == 4:
                # octet string (byte array)
                bstrings.append(value)
            elif tag.nr == 2:
                # integer
                ints.append(value)

        elif tag.typ == asn1.Types.Constructed:
            input_stream.enter()
            recurse_asn1(input_stream)
            input_stream.leave()

def parse_asn1(ciphertext):
    """
    Parse the asn1 byte array
    Based on the dump.py example
    from https://github.com/andrivet/python-asn1/
    """
    decoder = asn1.Decoder()
    decoder.start(ciphertext)
    recurse_asn1(decoder)

# Hexdump python3 byte string
def hexdump(bs):
    print(binascii.hexlify(bs).decode())


# --- main program ---


# Path to key4.db in first argument
if len(sys.argv) != 2:
    print('Usage: ' + sys.argv[0] + ' </path/to/key4.db>')
    exit(1)
db_path = sys.argv[1]

con = sqlite3.connect(db_path)
cur = con.cursor()
cur.execute('SELECT * from metaData WHERE id="password"')
res = cur.fetchall()[0]
con.close()

# res = (id, item1,  item2)
# item1 is 20 bytes salt
# item2 is DER-encoded ciphertext
db_salt = res[1]
print('database salt:')
hexdump(db_salt)
ciphertext = res[2]
print('database ciphertext:')
hexdump(ciphertext)


print('')

# Decode ciphertext
parse_asn1(ciphertext)

# Check if format supported
# TODO: Support more algorithms
#       For now only this specific
#       cipher suite is supported
expected_oids = (
 '1.2.840.113549.1.5.13',  # PKCS5 PBES2
 '1.2.840.113549.1.5.12',  # PKCS5 PBKDF2
 '1.2.840.113549.2.9',     # hmacSHA256
 '2.16.840.1.101.3.4.1.42' # aes256-CBC
 )
for i in range(len(expected_oids)):
    if expected_oids[i] != oids[i]:
        print('Expected OID', expected_oids[i],
              'got OID', oids[i])
        exit(1)

# Byte strings are:
# 0 - Salt (length 32)
# 1 - Partial IV (length 14, 2 bytes missing)
# 2 - AES ciphertext to decrypt
if len(bstrings) != 3:
    print('Expected 3 byte strings, got', len(bstrings))
    exit(1)
ct_salt = bstrings[0]
ct_short_iv = bstrings[1]
ct_aes = bstrings[2]

# Find the offset in ciphertext for the partial IV
if len(ct_short_iv) != 14:
    print('Expected 14 bytes partial IV')
    exit(1)
# There are two bytes missing
offset = ciphertext.find(ct_short_iv) - 2
if offset < 0:
    print('Failed to find IV in ciphertext')
    exit(1)
aes_iv = ciphertext[offset : offset + 16]

# ints should be [iterations, keylen]
if len(ints) != 2:
    print('Expected 2 integers, got', len(bstrings))
    exit(1)
iterations = ints[0] # Seems to always be 10000
keylen = ints[1]     # should be 32 for this algorithm

print('Decoded salt:')
hexdump(ct_salt)
print('Reconstructed IV')
hexdump(aes_iv)
print('Decoded AES ciphertext (still encrypted)')
hexdump(ct_aes)


# ^^^ Everything above this line is static
# The script should output the db_salt, ct_salt, aes_iv and aes_ct
# Then the rest can be looped in john.

unpad_cbc = lambda s: s[:-ord(s[len(s) - 1:])]

# Loop the lines below inside john later
# for each password candidate
print('')
pw = b'iloveyou'
saltpw = db_salt + pw
digest = hashlib.sha1(saltpw).digest()
print('sha1(salt + pw):')
hexdump(digest)
aes_key = hashlib.pbkdf2_hmac('sha256', digest, ct_salt, iterations)
print('AES key')
hexdump(aes_key)
cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)
result = unpad_cbc(cipher.decrypt(ct_aes))
print(result)
print(result == b'password-check')

Fortunately, that hashcat commit from earlier told me the necessary parameters for formatting the hash in the format required by hashcat! Converting from the Python extraction program output to the hashcat commit code variable names:

  • database salt = global_salt_bin
  • decoded salt = entry_salt_bin
  • 10000 = iter (remember this was from looking at the hashcat hash mode examples database)
  • reconstructed IV = iv_bin
  • decoded AES ciphertext = ct_bin

Formatting the hash into hashcat’s desired format, we get:
$mozilla$*AES*3510a742f59b198e198922f0c9bc43cf8ab52bf3*dadd3df784b946b13619b7f09fdce2e7a34e3e0cd4069263a0517d683d003695*10000*040e6bb3481d3086ee025f5b4b5b0afb*9c55609a7548c032b1bee0a1d948cec5

Run hashcat -a 0 -m 26100 hash ~/rockyou.txt to get the master password of phoenixthefirebird14.
Open up Firefox password manager, put in the master password, and get the decrypted password for picoctf.org! 

flag{n0_p@ssw0rd_15_s3cur3??}
Prev
2025-01-13 05:11:22 # Backdoor-CTF-2024
Next