We downloaded and extracted
Marina.vault.zip and got a folder called
Marina.vault.opvault. It contained another folder
default that had two files in it
The folder was a password vault format used by a product called 1password.
1pass2john we got the hash of the vault:
1password2john.py Marina.vault.opvault > hash, and then using john the ripper we cracked the master key:
john hash followed by
john hash --show which printed
We installed 1password and loaded the vault into it and it requested out master password:
So we put
Marina from john's output and we got the saved login details:
Going to the site in the notes we are faced with a login screen. We put the username and password that were saved in 1password and got the following error:
We added the header
x-forwarded-for: 192.168.20.1 and sent a new request. Again we were redirected to the login page but this time there was a cookie in the response.
We saved the cookie and navigated to the index page. We were redirected to the tickets page:
Inside the tickets we find Marina's and George's (the head of IT) Facebook pages:
This may be useful later. For now we need to find a way into George's account. Let's log out and see what the
Forgot My Password link does:
Ok so we have George's username:
george. now we need his birthday and one of three security question answers. Let's check his Facebook page.
About section we see he was born in 1991, and that he liked the page FRIENDS (TV Show). We can now brute-force the day and month of his birthday.
BF code thanks to naweiss.
Great, now to login again with this users credentials using the same trick as before:
And now to see the contents of the ticket: