Intro

We were given multiple linux and windows machines to attack and gain flags, each challenge set us up for the next few challenges, one of the hard challenges was:

Gaining Access to Emails on Windows

  • We had several windows machines in the subnet but we had to access emails of the user “Joe” on one of the machines.
  • We had credentials for one of the windows machines from a previous web challenge based on sql injection which was solved by running sqlmap on the login page.
  • To access any of the windows machines, we had to use Remote Desktop Protocol (RDP).
  • After logging in through RDP, our account didn’t have administrator privileges and we had limited remote tooling.
  • We then started enumeration, we noticed Joe under C:\Users\ but didn’t have access to any of the files.
  • We tried using proxychains first as we had access to another windows machine which was in the same network as this windows machine but after wasting 1 hour on it and making the connection work, even that machine didn’t have access to Joe’s account.
  • Then we noticed one of the applications installed was Mozilla Thunderbird, an email client. The challenge said to find the emails so maybe this might be the way.
  • Thunderbird stores each user’s emails, account details, and saved credentials within their own profile directory, typically found at: C:\Users\<username>\AppData\Roaming\Thunderbird\Profiles\<randomstring>.default\
  • Thunderbird holds several key files:
    • prefs.js: Configuration and account settings
    • key4.db and logins.json: Encrypted saved passwords
    • .mab / sqlite files: Address books and other metadata
    • Mail/ImapMail: Containing the actual stored emails in MBOX or Maildir-like formats
  • But we still needed Joe’s local password, we found this on the system login log files which were not stored securely as it was in the backups directory.
  • Now we logged in through Thunderbird using Joe’s credentials, then we were able to see his emails but the contents were encrypted.
  • Then using Cyberchef, we decrypted it using the Blowfish decrypt tool.
  • Then we finally got the flag.