Home THM Advent of Cyber - Day 5
Post
Cancel

THM Advent of Cyber - Day 5

Moving on in our quest to find the person trying to ruin Christmas we arrive on the fifth day, which seems to revolve around bruteforcing, so let’s get rocking!

Use Hydra to find the VNC password of the target with IP address MACHINE_IP. What is the password?

Once both the AttackBox and target host are up we’ll start off by running a simple nmap scan to figure out what’s running on the target host. We can see that both SSH and VNC are up and available, and either one could offer us a way into the system.

In this instance we’ll be using THC Hydra to bruteforce our way in, and as pretty typical for CTF scenarios the wordlist used will be the ever-popular RockYou.txt. We’re given the username alexander to make things a bit more straightforward, and running the command hydra -l alexander -P /usr/share/wordlists/rockyou.txt $MACHINE_IP ssh we can start the attack against the SSH service running on the target host. After just few seconds we’ll be getting the correct password to the user account, but since we’re asked for the VNC credentials let’s modify our command a little to try to find out that. First we’ll be replacing ssh with vnc, and since VNC doesn’t use usernames we need to drop the -l alexander part as well.

A little while later we’ll be shown the password to the VNC service, and that password is the correct answer to this question.

Using a VNC client on the AttackBox, connect to the target of IP address MACHINE_IP. What is the flag written on the target’s screen?

Since we now know the password to VNC on the target host we might as well log in and see what damage we can cause. Firing up Remmina, changing the protocol to VNC and inputting the target IP lets us log in. After punching in the password the VNC connection opens and we can see the flag for this question on the lower right side of the display. Boom, done.

This post is licensed under CC BY 4.0 by the author.