VNC
I discovered that there are two ports up and listening on the loopback address
port 5801 and 5901 are mostly used for vnc
VNC is an open-source cross-platform remote desktop protocol .
charix@poison:~ % sockstat -l -4 -p 5801
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root xvnc 529 3 tcp4 127.0.0.1:5801 *:*
charix@poison:~ % sockstat -l -4 -p 5901
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root xvnc 529 1 tcp4 127.0.0.1:5901 *:*I can check for processes associated with the port 5801 and 5901 with the sockstat command available on FreeBSD
They both have the same PID of 529 and running with the root user’s privileges
charix@poison:~ % ps 529
PID TT STAT TIME COMMAND
529 v0- i 0:00.05 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -It’s a VNC server hosted over http
This clearly is a privilege escalation vector as it is running with the highest privilege on the system