This machine was released on the Hack The Box platform today, July 8th 2025.
We first gain entry by bypassing network level authentication in RDP. Next, we are presented with a machine that is locked down (being used as a kiosk) We navigate through the environment by opening Microsoft Edge and traversing through the directories via the browser. We are able to download cmd.exe from System 32 and rename it to msedge so we can run it. From there, we preform some bypasses to view bulletpoint passwords and utilize a GUI UAC bypass to get root.
Let’s go ahead and give it a whirl!
https://app.hackthebox.com/machines/VulnEscape
Enumeration
Target IP: 10.129.24.229 Attacker IP: 10.10.14.92
nmap -sCVS 10.129.24.229
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-07-08T17:52:08+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: ESCAPE
| NetBIOS_Domain_Name: ESCAPE
| NetBIOS_Computer_Name: ESCAPE
| DNS_Domain_Name: Escape
| DNS_Computer_Name: Escape
| Product_Version: 10.0.19041
|_ System_Time: 2025-07-08T17:52:03+00:00
| ssl-cert: Subject: commonName=Escape
| Not valid before: 2025-04-10T06:20:36
|_Not valid after: 2025-10-10T06:20:36
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
This is something new… we only have access to TCP port 3389.
We try to connect to the target via xfreerdp
xfreerdp /v:10.129.24.229 /dynamic-resolution +clipboard
This does not work however, it prompts us with a requested Domain and Password that we do not have. We can however attempt to login to our target bypassing network level authentication by using the -sec-nla flag.
xfreerdp /v:10.129.24.229 /dynamic-resolution +clipboard -sec-nla
This works for us. We login to the machine with user KioskUser0 without any password.
Once on the Desktop it looks pretty locked down. I am able to hit the Windows key and open up the start menu. From there, I type in Edge to see if I can reach a browser (previously tried to run command prompt with no luck) and we are able to open it.
We plug in our url, C:\ and are shown our root directory. From here we can grab our user flag.
Looking around we find an interesting folder named _admin
Inside there is a profiles.xml which seems to contain credentials. We will keep this in mind for later.
Lets try to get a shell open on this machine. We head over to C:\Windows\System32 To try and open command prompt.
When we click on cmd.exe we get a download prompt. We can leverage this to open the file explorer.
We try to run the file but don’t have luck. Let’s try renaming cmd to msedge since we know this application is able to run.
Press F2 on the file and rename it to msedge
We can now open the command prompt after renaming.
Command Prompt User Access
We run into an issue though, a lot of commands get responses full of noise. To avoid this we just run Powershell which seems to work with no issue.
In C:\Program Files (x86)\Remote Desktop Plus path we find rdp.exe
Circling back to before from when we obtained those credentials from the .xml file, we may be able to use those to connect? Lets try it!
We drag and drop the profiles.xml into our Downloads folder since we do not have access to other folders via file explorer.
We can then click on Manage Profiles > Import Profiles > profiles.xml from our download directory.
BulletsPassView
We have a password here but we can’t see it due to the bullet points. There is an easy way around this, we can use BulletsPassView to bypass this.
Since we enabled clipboard in our xfreerdp command we can just drag and drop from our attacker machine into our target in the downloads folder
We run BulletsPassView from Powershell and get our credentials Twisting3021
Privilege Escalation
We are able to run powershell as the admin user with these credentials.
With a GUI too we can easily bypass UAC. All we must do is run start-process powershell verb runas
We will be prompted with a GUI UAC which we can just accept.
With that we can read our root flag! pwned