xsspresso
xsspresso
WriteupsVHL — React
MiscMediumWindows

VHL — React

Abyss Web Server on Windows with VNC exposed. Brute-forced VNC password to gain GUI access and escalated to SYSTEM via service abuse.

February 14, 2025Virtual Hacking Labs
#VNC#Abyss Web Server#Brute Force#SYSTEM

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.188
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 01:55 EST
Nmap scan report for 10.11.1.188
Host is up (0.022s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
80/tcp   open  http       Abyss httpd 2.11.1-X1 (AbyssLib/2.11)
|_http-server-header: Abyss/2.11.1-X1-Win32 AbyssLib/2.11
|_http-title: Welcome to Abyss Web Server
5800/tcp open  http-proxy sslstrip
5900/tcp open  vnc        VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes: 
|_    STDV VNCAUTH_ (2)
9999/tcp open  http       Abyss httpd 2.11.1-X1 (AbyssLib/2.11)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Abyss/2.11.1-X1-Win32 AbyssLib/2.11
| http-title: Language
|_Requested resource was http://10.11.1.188:9999/console/language
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
TRACEROUTE
HOP RTT      ADDRESS
1   22.14 ms 10.11.1.188
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.47 seconds

80

sh
80/tcp   open  http       Abyss httpd 2.11.1-X1 (AbyssLib/2.11)
|_http-server-header: Abyss/2.11.1-X1-Win32 AbyssLib/2.11
|_http-title: Welcome to Abyss Web Server

5900

sh
5900/tcp open  vnc        VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes: 
|_    STDV VNCAUTH_ (2)

9999

sh
9999/tcp open  http       Abyss httpd 2.11.1-X1 (AbyssLib/2.11)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Abyss/2.11.1-X1-Win32 AbyssLib/2.11
| http-title: Language
|_Requested resource was http://10.11.1.188:9999/console/language

default credentials Abyss Web Server X1 (v 2.11.1)

admin:admin

reload configuration

vnc.txt

vnc connection

sh
vncviewer 10.11.1.188::5900

Up next

MediumFeb 2025

VHL — CMS101

Joomla CMS on CentOS with ProFTPD. Exploited a known Joomla CVE for unauthenticated RCE via the com_media upload component.

Read writeup
MediumFeb 2025

VHL — Teamspeak

TeamSpeak 3 server on CentOS. Enumerated FTP for credentials and exploited a vulnerable web application for system access.

Read writeup
MediumFeb 2025

VHL — Trace

IIS 10.0 running Kartris eCommerce on Windows. SQL injection and .NET deserialization chain leads to code execution and privilege escalation.

Read writeup