Hijack X11 session

The presence of .Xauthority and .xsession files in the home directory indicate that a display might be configured. It is possible to confirm this by checking the presence of the user LightDM in the /etc/passwd file. The .Xauthority file is used to store credentials in the form of cookies used by xauth when authenticating X sessions. When a session is started, the cookie is then used to authenticate the subsequent connections to that specific display. With that in mind, if an access to the .Xauthority file, it is then possible to steal the cookie and therefore act as the authenticated user and interact with the display.

First, get the content of the .Xauthority file:

cat /home/<user>/.Xauthority | base64

Paste the encoded cookie and decode it into a file in the /tmp folder:

echo "<base64>" > /tmp/.Xauthority

Setting the cookie is as easy as pointing the environment variable XAUTHORITY to our cookie file.

export XAUTHORITY=/tmp/.Xauthority

Now, interact with the display, since the session is hijacked. In order to see what is happening on the display, take a screenshot and open it locally. To do that, it is needed to know which display the hijacked user is using, which can be done using the w command.

w

In the FROM column, we can see that the display used is :0 .

Now use the xwd command, which simply dumps an image of an X window, to get a screenshot of the display in its current state.

xwd -root -screen -silent -display :0 > /tmp/screen.xwd

Download the file locally to inspect the screenshot. Convert the screenshot into a png file by using ImageMagick's convert tool.

convert screen.xwd screen.png

The screenshot can now be opened as a PNG file.