2023 ImaginaryCTF - web
- Points: 100
Description
We recovered this file from the disk of a potential threat actor. Can you find out what they were up to?
Attached
Analyzation
Check the login.json file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{"nextId":2,
"logins":[
{"id":1,
"hostname":"https://yoteachapp.com",
"httpRealm":null,
"formSubmitURL":"https://yoteachapp.com",
"usernameField":"",
"passwordField":"",
"encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECJs6PTFwzrMiBAiRmXcD4tn3bw==",
"encryptedPassword":"MGIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECBZPCW+NjkpUBDieso9w5lPvD85RNcErLbGTXdamyji7ZKcL9FHxjnvt1WqwcVCsOETgCWCgwCg1jJmAW/MYugOoqQ==",
"guid":"{8ee7f027-974b-48cb-b9aa-29fc5a728c39}",
"encType":1,
"timeCreated":1688943236140,
"timeLastUsed":1688943236140,
"timePasswordChanged":1688943236140,
"timesUsed":1,
"encryptedUnknownFields":null}],
"potentiallyVulnerablePasswords":[],
"dismissedBreachAlertsByLoginGUID":{},
"version":3}
We need to login to yoteachapp.com by the given encoded account.
Solution
Use firefox_decrypt.py to decrypt the account
1
py firefox_decrypt/firefox_decrypt.py ./.mozilla/firefox/
1
2
3
Website: https://yoteachapp.com
Username: ''
Password: 'UeMBYIbgPqNiSWzOVguTbccMOnLirDoEGTjgiqNrbOvwzynbyN'
Login and find the flag.
The flag is
1
ictf{behold_th3_forensics_g4untlet_827b3f13}
This post is licensed under CC BY 4.0 by the author.