This is a medium level box which I found on this platform and it’s a great box that teaches you about vnc protocol .

NMAP

PORT 21 (FTP)

There wasn’t anything on ftp server.

PORT 139/445 (SMB)

There weren’t any share that we could access as anonymous

Running enum4-linux-ng I found one user by the name of one

PORT 80

Looking at robots.txt

We saw these directories but they were not on the box but if we scroll down a bit we will find a text written in brainfuck

Visting this directory it will give us a sort of wordlist

Using this wordlists we found a directorty

But still we need to enumerate more

I ran the wordlist on directory Level2021

But found a static message, I just made a guess about having cmd paramter and I was right

To get a reverse shell I used the python rev shell payload

Then I found a hint in the /home directory

I tried guessing the password with

0n30n3111 and 0n30n30n3 but failed.

I ran linpeas and the only thing I could dig out was the open that was open to only localhost

So we can do ssh port forwarding but for that we need a valid password for the user one so going back to .one_secret.txt we may need to craf a wordlist of password with 0n30n3xxx, where xxx will be the random numbers.

I used crunch to make wordlist of the pattern knowing the length of the password which is 9

Then use this wordlist to bruteforce against ssh with the user name one

Lets connect to port 5901 with netcat

Searching this on goolge results in something to do with vnc (virtual networking computing) which is for remote access to a computer similar to windows RDP.

Here RFB 003.008 means remote port is a VNC server and up.Now in order to acess this port we need to do ssh port forwarding.

Now if we go to our browser using localhost:5901 we will get this result

In order to connect to vnc we need a password , by default it is saved in $HOME/.vnc/passwd but in this case it isn’t configured to be saved there so we may need to find the password file on the target machine.

In one's directory we can see ... which is a folder

Here remote_level is the encrypted password file for connecting to vnc

BS CS undergraduate | CTF Player