Machine: Vulnescape
Difficulty: Easy
OS: Windows
Lab Link: https://app.hackthebox.com/machines/VulnEscape

TL;DR

Bypassed RDP Network Level Authentication to access kiosk-locked Windows machine. Escaped kiosk restrictions by accessing file system through Microsoft Edge browser. Renamed cmd.exe to bypass application whitelist. Extracted credentials from RDP Plus profiles and used BulletsPassView to reveal hidden passwords. Escalated to Administrator using GUI UAC bypass.

Network Enumeration

Target IP: 10.129.24.229
Attacker IP: 10.10.14.92


nmap -sCV 10.129.24.229 -oA vulnescape_scan

Open Ports:

  • 3389/tcp - Microsoft Terminal Services (RDP)
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-07-08T17:52:08+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: ESCAPE
|   NetBIOS_Domain_Name: ESCAPE
|   NetBIOS_Computer_Name: ESCAPE
|   DNS_Domain_Name: Escape
|   DNS_Computer_Name: Escape
|   Product_Version: 10.0.19041
|_  System_Time: 2025-07-08T17:52:03+00:00
| ssl-cert: Subject: commonName=Escape
| Not valid before: 2025-04-10T06:20:36
|_Not valid after:  2025-10-10T06:20:36
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Initial Access

Bypassing Network Level Authentication

Standard RDP connection (fails):


xfreerdp /v:10.129.24.229 /dynamic-resolution +clipboard

Prompts for domain/password credentials we don’t have.

Bypass NLA:


xfreerdp /v:10.129.24.229 /dynamic-resolution +clipboard -sec-nla

NLA bypass success

Success! Logged in as KioskUser0 without password.

Kiosk Environment Escape

The desktop is locked down (kiosk mode). Standard applications are restricted.

Windows key still functional - opens Start menu.

Search for Microsoft Edge:

Microsoft Edge available

Edge browser opens successfully.

File System Access via Browser

Navigate to C:\ in Edge address bar:

File explorer access

User flag obtained from Desktop.

Interesting Discovery

Found _admin folder containing profiles.xml:

Credentials hash

Contains encrypted credentials - note for later use.

Command Prompt Access

Navigate to C:\Windows\System32 to access cmd.exe:

Download prompt

Clicking cmd.exe triggers download prompt (file explorer opens).

Application whitelist prevents execution:

Execution blocked

Whitelist Bypass

Strategy: Rename cmd.exe to whitelisted application name.

Press F2 on cmd.exe and rename to msedge.exe (since Edge is whitelisted):

Renamed to msedge

Success! Command prompt opens.

Powershell Upgrade

Standard commands produce noisy output:

Command errors

Switch to PowerShell:


powershell

PowerShell access

Clean execution environment achieved.

Credential Extraction

RDP Plus Discovery

Found in C:\Program Files (x86)\Remote Desktop Plus:


rdp.exe

Recall: Encrypted credentials in profiles.xml

Import Profiles

  1. Copy profiles.xml to Downloads folder (accessible via file explorer)
  2. Open RDP Plus
  3. Navigate to: Manage Profiles → Import Profiles
  4. Select profiles.xml from Downloads

Imported profiles

Profile with hidden password

BulletsPassView

Password is hidden with bullet points. Use BulletsPassView to reveal.

BulletsPassView tool

Transfer via clipboard (enabled with +clipboard in xfreerdp):

Drag and drop BulletsPassView from attacker machine to target’s Downloads folder.

BulletsPassView in Downloads

Execute from PowerShell:


.\BulletsPassView.exe

Password revealed

Password obtained: Twisting3021

Privilege Escalation

RunAs with Credentials


runas /user:Administrator powershell

RunAs execution

Success! PowerShell running as Administrator.

GUI UAC Bypass

Since we have GUI access, we can bypass UAC easily:


Start-Process powershell -Verb runas

UAC prompt

GUI UAC prompt appears - accept it.

Root access

🎉 Administrator access obtained! Machine pwned!

Key Takeaways

  1. NLA Bypass - -sec-nla flag allows RDP access without credentials
  2. Kiosk Escape - Web browsers can provide file system access in restricted environments
  3. Application Whitelist Bypass - Renaming executables to whitelisted names circumvents restrictions
  4. BulletsPassView - Reveals passwords hidden behind bullet points
  5. GUI UAC Bypass - Start-Process -Verb runas provides easy UAC bypass with credentials
  6. Defense Recommendations:
    • Enable and properly configure Network Level Authentication
    • Implement strict application whitelisting by hash/signature, not filename
    • Disable file system access through web browsers in kiosk mode
    • Use credential managers that encrypt bullet-pointed passwords
    • Implement proper UAC policies
    • Monitor for renamed system executables
    • Use Windows Defender Application Control (WDAC)
    • Disable clipboard redirection in RDP for kiosk environments