Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

Mouse Trap

Premium room

Follow Jom and Terry on their purple teaming adventures, emulating attacks and investigating the leftover artefacts.

easy

90 min

2,884

User profile photo.
User profile photo.
User profile photo.

To access material, start machines and answer questions login.

In the world of cyber security, we often talk about a game of cat and mouse.

Follow the adventures of Jom and Terry, members of the TryMouseMe purple team, as they work through a thrilling exercise of Attack and Defense. From initial access to , you will emulate a three-stage attack on a Windows environment.

Attack Emulation

Click the green Start Machine button to start the machine above.

Please give the VM 5 minutes to boot up.

While you wait for the machine to start, familiarise yourself with the attack chain and engagement information below.

Note: It is highly recommended to use the AttackBox for this task.

Attack Chain

To test the capabilities of the blue team, you have been tasked to use the following TTPs to compromise the target:

TacticsTechniquesProcedures
TA001: Initial accessExploit Public-Facing Application (T1190)After finding a vulnerable service, you will get a user shell via remote code execution.
TA004: Privilege EscalationPath Interception by Unquoted Path (T1574.009)You will then escalate your privileges through an unquoted service path.
TA003: PersistenceRegistry Run Keys / Startup Folder (T1547.001)
Create Account: Local Account (T1136.001)
Finally, you will maintain persistence thanks to registry run keys and local user account creation.

Engagement Specifications

To effectively detect the activities conducted during the emulation, here are the specific Indicators of Compromise (IOCs) that must be followed during the execution of the attack vectors:

TechniqueRequirements
Remote code execution
  • Once you’ve found the CVE and exploit, use the version that uses SMB, not HTTP
  • Generate a Windows stageless reverse TCP (x64) shell
  • Ensure that your reverse shell is called shell.exe
Unquoted service path
  • Use SharpUp.exe for enumeration, located in C:\Users\purpletom
  • Target the Mobile Mouse directory while executing the unquoted service path abuse
Registry run keys and local account creation
  • Use the HKEY_CURRENT_USER registry hive
  • Use the SYSTEM user when creating the run key persistence
  • Specify the registry key name (shell)
  • Use the following path for the payload (C:\Windows\Temp\shell.exe)
  • Specify the name of the backdoor user (terry)
Answer the questions below
What is the user flag after getting initial access?

What is the administrator flag located on the Desktop?

After achieving persistence, run the checker script on the desktop. What is the flag?

Ready to learn Cyber Security?

The Mouse Trap room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information see our cookie policy.