Mouse Trap is a kind of CTF that combines both Red plus blue Team Perspectives — You both exploit a vulnerability plus investigate the attack patterns of the same exploit.

To begin with, let’s detect open ports of our target using Nmap:
We can see multiple ports open:

SMB — could not access.
5895 + 47001 — could not perform any enumeration.
RDP — could not access due to lack of credentials.
7680 — did not run any know service or had known vulnerability.

After much investigation of each, I found almost all ports useless, except 9099

This service holds the Mobile Mouse Service.

In short:

Mobile Mouse Service typically refers to a tool or app that allows you to use your smartphone as a wireless mouse, keyboard, or remote control for a computer.

Looking for an RCE exploit, I found the correct CVE for it right away

The syntax for this command is:

python exploit.py — target — lhost — file

One prerequisite for the CVE to work is to generate a shell file (the third argument) script that will be used to gain us a reverse shell.

We can use Msfvenom to the rescue

Privelege Escalation
According to the task we need to exploit Unquoted Service Path vulnerablity, plus we need to use the Mobile Mouse folder to achive this.

Using SharpUp, we can see it is the “Mobile Mouse Service”.
We can query to see more details about it

Now we have the full path for it.

The vulnerability workd by trying to execute each part of the path until the end, knowing it is not quoted plus have space.

In our example, the binary path is:

C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe

Therefore, the system will try to execute the binary in the following order:

C:\Program.exe
C:\Program Files (x86)\Mobile.exe
C:\Program Files (x86)\Mobile Mouse\Mouse.exe
C:\Program Files (x86)\Mobile Mouse\Mouse Utilities\HelperService.exe

Therefore, we can either put our malicious code under:

The C:\ direcorty
Program Files directory
The Mobile Mouse directory.
Option 1 & 2 are not viable as we dont have write permissions, so we have only option 3. to exploit, we need to create a file named Mouse.exe, plus place in in the “Mobile Mouse” directory.

So, when we start the service of Helpservice.exe, it will go along the path to execute it, but now the only difference is that instead of it, it will run Mouse.exe due to the vulnerablity.

To begin, let’s create our malicious script to gain an elevated reverse shell — once again with Msfvenom