Post

VulnLab: Escape

Posted Updated
Preview Image
By Tom Fieber
4 min read

Summary

Escape is an easy rated Windows box from VulnLab. This box involved breaking out of a restricted kiosk environment, recovering an obfuscated RDP password, and finally bypassing UAC to escalate privilges.

Walkthrough

Enumeration

Nmap shows that only port 3389 is open on the server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

Nmap scan report for 10.10.126.31
Host is up, received echo-reply ttl 127 (0.13s latency).
Scanned at 2024-05-18 15:07:54 CDT for 315s
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       REASON          VERSION
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: ESCAPE
|   NetBIOS_Domain_Name: ESCAPE
|   NetBIOS_Computer_Name: ESCAPE
|   DNS_Domain_Name: Escape
|   DNS_Computer_Name: Escape
|   Product_Version: 10.0.19041
|_  System_Time: 2024-05-18T20:13:04+00:00
|_ssl-date: 2024-05-18T20:13:08+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=Escape
| Issuer: commonName=Escape
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-02T11:08:33
| Not valid after:  2024-08-03T11:08:33
| MD5:   f4fa:8611:3b8a:76e2:65fe:541a:947b:4b84
| SHA-1: 240f:ec8d:6051:8a16:92fd:9600:818a:f8c6:dbe5:bd4b
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQQlhl5eFZarZNEpCItMxt3jANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZFc2NhcGUwHhcNMjQwMjAyMTEwODMzWhcNMjQwODAzMTEwODMz
| WjARMQ8wDQYDVQQDEwZFc2NhcGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDRO5ErOER+vxewtaw8DXrvlXgfc5R1seKph22xCI0CaMbLswSXtruA+V8p
| iIWLN+b0Z12z35n7o2kbJuD91T1o3FpiVGVXiRFiTT+d1CET3OYd0VqQOOaxpwfp
| MPvFTfBnbiAhMtalXVkV/R2tYnw94hgmVBxALs7VJp/x3mwcZVkdcEfJ7g7cjpZy
| EMD0Wcs+yYxXVdkYL6e+zPlRBNZjdaTasOAzCJ9a5xmUslhWoIInlL1coI1XD7QL
| 5fJlIUOtr8k9RHKMJPEOS/syeWUUzSkkLzWMFqgWqnikvsS8MI1S94+N2AO7zX4W
| rcOsSqd20W8cxWeqFlo51+/mAk+tAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEAEPNmAPmsdJGT9Q0h
| ugo6UcqXu/bhBYKteY4lrHH9P6MMa7rmZE5EFETmK1jp839dYldFGWCGxZ0GAJL/
| aGpicW/ImVVyaSmzwYCXS69wRG0ll0Gu0rmj4PgeQ4KOPN45GWvqWFUepsqEMEF4
| xSAe6igyZMGZAL7qN/px4qmc9nTLSmGp3yDgzxvRqc8d3B+I0q+i1El1e2JcfTyH
| Wjdz3DWjHIXfyo514Ntpdnneugkpehfnnqcjy3JL+soGtrglw3RUA05+0TVgk3l7
| MEEtnIj+jkoDw/iNEfGFswkHWJGf8ASxQohxf0BGh0o4T+Jv7+C2Jdw3szVWfAFX
| loAYvQ==
|_-----END CERTIFICATE-----
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: -1s

Since there’s no credentials, we can try to access the RDP service by disabling NLA.

1

$ xfreerdp /v:$ip /dynamic-resolution +clipboard -sec-nla

This brings up the following prompt. Looks like we can login as the KioskUser0 without a password.

Once we’re logged in, we are presented with sign for the Busan Expo.

Kiosk Breakout

Right click and most commands are restricted in kiosk mode; however, we can use the Windows key to bring up the menu and select Microsoft Edge from there to get a browser with a URL bar and most functionality enabled.

Within Edge, we can use the following in the URL bar to get a directory listing of the C:\ drive.

1

file://c:\

Within the C:\_admin directory, there are a couple files that look like they’re associated with the remote desktop service.

The profiles.xml looks like it has an encrypted password in it. We’ll need to figure out a way to decrypt that.

User Flag

We can just grab the user flag from here.

Privilege Escalation

To proceed, we’re going to need a proper shell. Since we’re fairly restricted on what we can execute, we’ll need to download cmd.exe and then rename it to msedge since that’s one of the only things allowed in kiosk mode.

After checking around a little bit it seems like we’re pretty much restricted to accessing the Downloads folder, so we can copy the profiles.xml file to the C:\Users\KioskUser0\Downloads folder and do everything from there.

Start up RDP plus from C:\Program Files (x86)\Remote Desktop Plus\rdp.exe.

From the Manage profiles menu, select Import profile from the Import and export menu.

Select the profile.xml file and notice that the password is obfuscated in the edit configuration menu.

We can use a tool called BulletsPassView to read the obfuscated password.

When the tool detects an obfuscated password, it displays the plaintext password in the tool window.

Since we’ve already got a shell we can just try runas with that password to see if it’s possible to escalate to the admin user. We get a shell with the following command:

1

PS> runas /user:ESCAPE\admin cmd

After getting the new shell, we can observe that the admin user is a member of the Administrators group, however this shell is running at a medium integrity level which means we’ll need to bypass UAC to get a high integrity shell.

Something I learned doing this lab was that it wasn’t necessary to use something like fodhelper to bypass UAC in this case. Using the following command brought up the UAC dialog and clicking on the “Yes” button brings up PowerShell running as a high integrity process.

1

PS> Start-Process powershell -Verb runas

We can see that we now have all administrative privileges.

Now, with the high integrity PowerShell go ahead and grab the root.txt from the C:\Users\Administrator\Dekstop\ directory.

That’s it! Congrats on rooting the box.

writeups, vulnlab
kiosk rdp uac password-deobfuscation
This post is licensed under CC BY 4.0 by the author.