TryHackMe Advent of Cyber 4→ DAY 5

Elf McSkidy asked Elf Recon McRed to search for any backdoor that the Bandit Yeti APT might have installed. If any such backdoor is found, we would learn that the bad guys might be using it to access systems on Santa’s network.

Objectives of DAY -5

• Learn about common remote access services.
• Recognize a listening VNC port in a port scan.
• Use a tool to find the VNC server’s password.
• Connect to the VNC server using a VNC client.

Task for day-5 is all about the Remote Access Services. If you have solved any roos on TryHackMe or HackTheBox boxes, you must have come across various Remote Access Services like

1. SSH
2. RDP
3. VNC

SSH stands for Secure Shell. It was initially used in Unix-like systems for remote login. It provides the user with a command-line interface (CLI) that can be used to execute commands.

RDP stands for Remote Desktop Protocol; it is also known as Remote Desktop Connection (RDC) or simply Remote Desktop (RD). It provides a graphical user interface (GUI) to access an MS Windows system. When using Remote Desktop, the user can see their desktop and use the keyboard and mouse as if sitting at the computer.

VNC stands for Virtual Network Computing. It provides access to a graphical interface which allows the user to view the desktop and (optionally) control the mouse and keyboard. VNC is available for any system with a graphical interface, including MS Windows, Linux, and even macOS, Android and Raspberry Pi.

The main key learnings about this task are Authentication and Password attacks.

You can read more details about it on the day -5 task page.

Let us jump to the tasks for this challenge!

For this task we need to either use the AttackBox or connect your own system with the VPN connection for the access section on THM.

We run a simple nmap scan on the target machine

nmap -sS <MACHINE_IP>

We can see that 2 services are open and available on this machine i.e. ssh and VNC.

We can use the HYDRA tool to try and brute force.

For using Hydra we need wordlists and either we should know the username and brute force the password or brute force both.

We can see that we have to use the username “alexander” to try and get the password. You can follow the steps and use the follwoing command to get credentials for the ssh

hydra -l alexander -P /usr/share/wordlists/rockyou.txt ssh://10.10.83.220 -V

Q1 Use Hydra to find the VNC password of the target with IP address 10.10.83.220. What is the password?

we can use the same command and replace ssh with vnc to bruteforce vnc password.

hydra -P /usr/share/wordlists/rockyou.txt vnc://<MACHINE_IP> -V -f -t 4

Here we use the -f command to stop hydra from running after it finds a password successfully!

Now that we have the password, we can move to the next part and connect to the VNC Server.

We can use the Remmina client in the AttackBox to connect to the VNC Server.

We just simply have to choose the service and enter the IP like given below

We get a dialog box promt to enter the password. We enter the password that we found using hydra!

Q2 Using a VNC client on the AttackBox, connect to the target of IP address 10.10.83.220. What is the flag written on the target’s screen?

Once we are logged in, we can see the flag written on the screen!

And there we go! DAY -5 is done!!!

We are going to cover the full Advent of Cyber event again just like last year!

Follow us for more Writeups and Stories!!

https://linktr.ee/alexhack