0x00 Introduction to VNC
VNC (Virtual Network Console) is an abbreviation for Virtual Network Console. It is an excellent remote control tool software developed by the famous AT&T European research laboratory.
0x01 rights escalation ideas
After installing VNC, you can 在注册表中保留VNC的密码read the password information in the registry remotely through WEBSHELL and crack the VNC password locally to connect remotely to achieve the purpose of escalation.
0x02 extraction step
1. By reading the decimal number
of the registry (1) RealVNC registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4\Password
(2) The registry path of UltraVNC:
HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default\password
2. Convert to hexadecimal number
Online conversion hexadecimal address link: https://www.toolfk.com/tool-convert-hexadecimal
3. Crack the hexadecimal number to get the password.
Use the tool VNC4X to crack.
First enter the CMD and then vncx4.exe -Wenter
the converted hexadecimal numbers one by one, and press Enter once for each input.
4. Use the obtained account and password to connect to vnc
through the local VNC client, and after the connection is successful, the remote operation can achieve privilege escalation
0x03 Reference Article
https://blog.csdn.net/qq_32108547/article/details/90760702