Penetration testing - Escape -VulnLab

In the Escape machine, the challenge involved a Windows system locked in kiosk mode with only Remote Desktop Protocol (RDP) enabled. The kiosk mode was bypassed by leveraging Microsoft Edge to navigate the file system using the file:/// protocol. This method uncovered a file named profiles.xml, which stored the admin's RDP password in an encrypted form. Then the password was decrypted, allowing elevation of privileges through User Account Control (UAC).

1. NMAP Scan

As usual, we start with the Nmap Scan:

─$ sudo nmap -sV -sC -Pn 10.10.102.190-p 0-65535 | tee nmapresults.txt
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 15:30 EEST
Nmap scan report for 10.10.102.190
Host is up (0.21s latency).
Not shown: 65535 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Escape
| Not valid before: 2024-02-02T11:08:33
|_Not valid after:  2024-08-03T11:08:33
|_ssl-date: 2024-05-24T12:40:13+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -2s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 561.36 seconds
                                                                           

The scan shows me only 1 port available: RDP (3389)

We do not have any users to test here... At this point I started bruteforcing the administrator user with rockyou.txt... nothing was found.

How to find a user here?

I tried first with xfreerdp but it was just failing:

└─$ xfreerdp /v:10.10.102.190
[16:03:16:965] [295461:295478] [INFO][com.freerdp.client.x11] - No user name set. - Using login name: kali
[16:03:18:248] [295461:295478] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[16:03:18:248] [295461:295478] [WARN][com.freerdp.crypto] - CN = Escape
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.10.102.190:3389) 
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - Common Name (CN):
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] -    Escape
[16:03:18:348] [295461:295478] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.10.102.190:3389 (RDP-Server):
        Common Name: Escape
        Subject:     CN = Escape
        Issuer:      CN = Escape
        Thumbprint:  25:09:db:0e:70:da:4a:31:37:e8:9c:06:dd:8c:d0:a2:49:e1:db:6e:52:cf:2b:c7:2c:cd:5c:48:81:7a:85:40
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
Domain:   
Password: 
[16:03:22:867] [295461:295478] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[16:03:22:867] [295461:295478] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[16:03:22:867] [295461:295478] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[16:03:22:867] [295461:295478] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1        

We need to somehow get the GUI to show up and see if there is a login showing up in it.. Tried with rdesktop.. with the command:

rdesktop 10.10.102.190        

This can also be achieved by running:

xfreerdp /v:10.10.102.190-sec-nla        

2. RDP Access to the machine

The GUI is stating that we can log in with user KioskUser0 without the need to enter any passwords... let's do that. I will use the following command in order to enable clipboard and set a dynamic resolution:

└─$ xfreerdp /dynamic-resolution +clipboard /u:KioskUser0 /v:10.10.102.190        

This is a kiosk computer so it will not have access to most of the applications and it will allow only what the administrators have configured to run in this machine.

By pressing the Windows button, we can see the applications:

It is not allowing me to click anything.. so what I did was press the windows button and then typed cmd.exe , tried running it and it was not allowing me.. tried powershell, same thing.. tried edge and it allows me to open edge.

Once I clicked next on everything. I was able to see the edge browser working properly..

Something that I noticed is that edge is allowed..

3. Getting full access to the machine

Since edge is allowed, I generated a havoc demon, named it msedge.exe.

1) Setting up the listener... tried nothing fancy:

2) Generating the executable

3) Setting up a listener to download the executable by running:

python -m http.server 9090        

4) Downloading and Running the executable.

Did not work.. seems they are probably not allowing to download from edge or they have an AV running in this machine.. I went to the file path C:\users\kioskuser0\Downloads\ and I am not seeing my PE there.

Just in case I will try ScareCrow in order to sign the executable, add some evasion and check if this works, if not we will need to do more reconnaissance inside the machine.

This did not work. I will keep this files since probably we can use them later on.

So at this point we have access only to edge, we know it is allowed to run... so any file renamed to msedge.exe should be able to run as well. We will find C:\windows\system32\cmd.exe, download it with edge to C:\users\kioskuser0\Downloads\ and then rename it to msedge.exe to check if we can have console access this way:

Awesome!!!! we now have CMD access:

Once I got access to CMD, I ran "powershell -ep bypass" in order to get access to powershell and also bypass the execution policy in case I need to run powershell scripts.

Found the following folder_admin with some interesting data while browsing with edge:

Inside _admin folder we find the following file:

The fist comment shows that this is to be used on Remote Desktop Plus.

Seems those are the credentials for the admin user. And we can verify this by checking if that is a valid user on the system:

When looking for Remote Desktop Plus. Found it on the following path:

with this software, we can load the .xml profile we found before...but it is still not showing us the password.

After reasearching, there is a program called "BulletPassView" ... this allow us to see the password behind the bullets in a program.

These are the steps I took:

1) copy the profiles.xml file to C:\users\kioskuser0\Downloads\

2) Run rdp.exe from C:\Program Files (x86)\Remote Desktop Plus\

3) Run BulletPassView....

4) Load profiles.xml into Remote Desktop Plus... Edit the user.

5) Checking BulletPassView, it now shows the password:

Let's login using the following combination admin : Twisting3021

With the help of CHATGPT I was able to get the translation:

"To log in remotely, you must have permission to log in through the Remote Desktop Services. By default, members of the Remote Desktop Users group have this permission. If the current group does not have this permission, or if the permission has been removed from the Remote Desktop Users group, the permission must be granted manually."

This means the user is not part of the Remote Desktop Users or UAC is not allowing us to do it. but we can still try to run commands as admin (with runas) on the machine. Let's do that.

We now have admin but not with all privileges:

This is due to UAC, it needs to be bypassed.

In situations like this one in which we have access to the GUI, we can run this command and it should bypass UAC :

 start-process powershell.exe -verb runas        

And now we are admins with full control:

Conclusions

The "Escape" machine, rated as "easy," provided an engaging and educational challenge that showcased the creativity and complexity. This exercise highlighted several critical aspects of penetration testing and system security:

1. Innovative Kiosk Mode Bypass: The use of Microsoft Edge to navigate the file system through the file:/// protocol was a clever method allowed by the machine’s configuration. This approach demonstrated how seemingly benign features can be leveraged to bypass strict kiosk mode restrictions.
2. Hidden Credentials Discovery: The discovery of the profiles.xml file containing the encrypted admin RDP password showcased how important it is to thoroughly explore available file systems. This hidden yet crucial piece of information played a key role in the escalation process.
3. Password Decryption Challenge: Utilizing BulletPassView to decrypt the password exemplified the practical application of specialized tools in uncovering sensitive information. This step emphasized the importance of having the right toolkit and knowledge for effective penetration testing.
4. User Account Control (UAC) Navigation: The necessity to bypass UAC to gain full administrative privileges was a critical aspect of this challenge , it demonstrated the layers of security within Windows systems
5. Effective Use of Allowed Applications: The fact that Edge was allowed to run while other applications were restricted required a strategic approach to exploit this allowance. This scenario underscored the importance of identifying and leveraging permitted applications to achieve testing objectives.

VulnLab's "Escape" machine effectively combined various elements of system security and feature abuse, making it a valuable exercise for learning and honing penetration testing skills. The machine’s setup required a thoughtful approach to successfully navigate and exploit the system.