1FAGuy
Category: Digital Forensics
200 points
We have obtained these files from a Hacker’s computer known as 1FAGuy. Can you find the password of their C&C?
File: Evidence.zip
Solution
This challenge gave me headache. In the Evidence.zip
there’s a users AppData
directory from which I needed to
extract the credentials. I’ve spent literally hours trying to crack password stored in Google Chrome files. That was a
dead end trap set by organizers. Actually, the flag was possible to extract from Firefox…
I’ve done it with firefox_decrypt. Before that step, I had to rename the
login.json
to logins.json
(another trap).
./firefox_decrypt.py /tmp/AppData/Roaming/Mozilla/Firefox
Select the Mozilla profile you wish to decrypt
1 -> Profiles/8den1n7z.default
2 -> Profiles/pwbmg6f4.default-release
2
Website: https://commandandcontrol.candc
Username: 'admin'
Password: 'SBCTF{MuL71_f4C70R_4U7H3N71C4710n_70_7h3_r35cU3}'
Flag
SBCTF{MuL71_f4C70R_4U7H3N71C4710n_70_7h3_r35cU3}