Myles Nieman
← All writeups

VulnEscape

Overview

VulnEscape is an easy Windows box presenting an RDP session locked into a kiosk environment running Microsoft Edge. The kiosk is broken out by leveraging Edge’s ability to open local files, copying powershell.exe as msedge.exe so it launches inside the browser’s allowed process context. Exploring the resulting shell reveals Remote Desktop Plus with a saved RDP profile whose password is masked — but recoverable with Nirsoft’s BulletsPassView. Those credentials allow runas as admin, and a UAC-bypassed elevated PowerShell session completes the chain.

Path: RDP kiosk → Edge local-file trick → PowerShell as user → Remote Desktop Plus saved creds → BulletsPassView → runas admin → UAC bypass → elevated shell → root.

Enumeration

The target exposes only RDP:

Nmap confirming only RDP is open on the target

Connecting via RDP drops into a kiosk session with only Microsoft Edge available — no taskbar, no desktop shortcuts, and no obvious escape.

The RDP kiosk environment showing a locked-down Edge browser

Foothold — Kiosk Escape via Edge

The technique for breaking out of a Windows kiosk running Edge is documented by NVISO Labs: Edge can open local file:// URLs, and if it can be made to launch an executable named msedge.exe, it runs in the allowed context.

The steps:

  1. Use Edge to navigate to a locally crafted HTML page (pwn.html) that triggers a file download.

Navigating to a local pwn.html page inside the kiosk Edge session

Edge downloads a file through the local HTML trick

  1. Locate powershell.exe at:
C:\Windows\System32\WindowsPowerShell\V1.0\powershell.exe
  1. Copy it to a writable location and rename the copy to msedge.exe, then launch it through Edge.

Edge’s bookmarks bar showing the pwn.html page added

Adding the local pwn.html as a bookmark for easy access

Downloading and staging the renamed powershell.exe as msedge.exe

PowerShell launches through the Edge kiosk bypass

A PowerShell window opens as the kiosk user. The shell has restricted permissions (low-integrity), but it is enough to explore the filesystem.

Enumeration — Filesystem Exploration

Initial exploration turns up a couple of notable directories:

  • C:\RUXIM — an unusual folder.

C:\RUXIM directory listing

  • C:\Program Files (x86)\Remote Desktop Plus — a third-party RDP client that supports saving connection profiles, including stored passwords.

Remote Desktop Plus installation found on the system

Privilege Escalation — Recovering a Saved RDP Credential

Opening Remote Desktop Plus reveals a saved RDP profile with a pre-filled, masked password:

Remote Desktop Plus with a saved connection profile

Importing the saved profile confirms it contains stored credentials

The Remote Desktop Plus profile shows a masked password field

The password field shows bullets. Nirsoft’s BulletsPassView recovers passwords hidden behind bullet characters in Windows controls:

BulletsPassView dialog ready to recover the masked password

BulletsPassView reveals the plaintext credential

With the credential in hand, runas launches a PowerShell process as admin:

runas /user:admin powershell.exe

runas /user:admin PowerShell launches but runs at medium integrity

Root

The initial runas session runs at medium integrity — UAC still limits privileged operations. Spawning an elevated process from within that shell promotes to high integrity:

Start-Process powershell.exe -Verb runas

The UAC prompt auto-accepts (since we already authenticated as admin), and the new PowerShell window runs with full administrator privileges. The root flag is accessible from there.

Takeaways

  • Windows kiosk escapes via Edge are a well-documented technique: Edge’s ability to open local file:// paths and launch processes named msedge.exe makes any kiosk relying on Edge-as-sole-application breakable without additional tooling.
  • Third-party credential stores like Remote Desktop Plus save passwords in Windows control fields that are trivially revealed by tools like BulletsPassView — stored RDP credentials in kiosk environments represent an easy lateral-movement path.