VulnEscape
VulnEscape
VulnEscape 678
VulnEscape
RETIRED MACHINE

VulnEscape

VulnEscape - Windows Windows
VulnEscape - Easy Easy

4.3

MACHINE RATING

231

USER OWNS

165

SYSTEM OWNS

08/07/2025

RELEASED
Created by xct

Machine Synopsis

VulnEscape is an Easy Difficulty Windows machine that features the Remote Desktop Server service running on its default port. Users can connect to the machine over RDP and login as `KioskUser0` without a password. The target environment is restricted, however, by abusing the `file://` scheme in Microsoft Edge, users can browse the file system. Further exploitation allows users to bypass the system restrictions and open a PowerShell window. Enumeration of the file system reveals a folder which contains a profile for an application called `Remote Desktop Plus`. This profile can be loaded in the application and the password in this profile can be extracted by using a second application called `BulletsPassView`. The extracted password can be used to start a session as the `admin` user and further bypass of the User Access Controls in place allows attackers to read the root flag.

Machine Matrix

Ready to start your
hacking journey?