Exxtensity
Overview
A deceptively challenging lab despite its “Easy” rating. The company suspects malicious browser extensions are being used to harvest employee credentials. The investigation requires removing enterprise browser policies, installing and analyzing extensions, identifying keylogger code via content script analysis, and capturing C2 traffic in Wireshark.
Registry — Removing Extension Blocks
Before any extension analysis can begin, enterprise group policies are blocking installation in both Chrome and Firefox. Two registry keys need to be located and cleared:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox
Under the Chrome path, the subkey preventing installation is ExtensionInstallBlocklist — a Group Policy setting that blocks specific or all extension installs. Deleting or clearing this key re-enables extension installation in Chrome.
The Firefox equivalent lives under ExtensionSettings — same principle, enterprise policy preventing add-on installation via nsIEnterprisePolicies.
Quote of the Day — Firefox Extension Analysis
With Firefox policies cleared, the Quote of the Day extension can be loaded as a temporary add-on via about:debugging → This Firefox → Load Temporary Add-on. The extension folder needs to be zipped with manifest.json at the root level and renamed to .xpi before Firefox will accept it.
Once installed, clicking Inspect on the extension in about:debugging opens a scoped DevTools window. The console output reveals:
Log of the Day: Climb the Leaderboard
The JS was obfuscated but the lab authors left the answer as the console.log() output — readable directly from the extension’s DevTools console without needing to deobfuscate.
Identifying the Malicious Extension — Privacy Badger
Three extensions are available for analysis: AdGuard, Quote of the Day, and Privacy Badger. Examining each manifest.json for content_scripts — scripts that inject into web pages — Privacy Badger immediately stands out:
"content_scripts": [{
"js": ["js/firstparties/lib/utils.js"],
"matches": ["https://*/*", "file:///*/*"]
}]
The file:///*/* match pattern is the red flag — legitimate extensions don’t inject into local file:// URLs. This tells us utils.js is the malicious keylogger content script, designed to intercept credentials entered into local HTML files like login.html.
Firefox also flags a manifest warning: “An unexpected property was found in the WebExtension manifest” — another indicator of tampering.
Keylogger Traffic Capture — Wireshark
With Privacy Badger loaded in Chrome (not Firefox — the content script fires correctly in Chrome), opening login.html from the Desktop and entering credentials triggers the keylogger. Filtering Wireshark for the C2 port:
bash
tcp.port == 14693
TCP SYN packets immediately appear attempting to connect to the attacker’s C2 server. The connection fails (all retransmissions — C2 unreachable from lab environment) but the destination IP is captured:
C2 IP: 113[.]62[.]33[.]199
ExtAnalysis — AdBlock Plus Domain Enumeration
Loading the AdBlock Plus extension into ExtAnalysis and navigating to URLs & Domains reveals 80 unique domains referenced within the extension — useful baseline data for distinguishing normal extension behaviour from malicious outbound connections.
IOCs
| Type | Value |
|---|---|
| C2 IP | 113[.]62[.]33[.]199 |
| C2 Port | 14693 |
| Malicious Extension | Privacy Badger (trojanized) |
| Keylogger Script | utils.js |