VulnEscape
Windows
Easy
4.3
MACHINE RATING231
USER OWNS165
SYSTEM OWNS08/07/2025
RELEASEDMachine Synopsis
VulnEscape is an Easy Difficulty Windows machine that features the Remote Desktop Server service running on its default port. Users can connect to the machine over RDP and login as `KioskUser0` without a password. The target environment is restricted, however, by abusing the `file://` scheme in Microsoft Edge, users can browse the file system. Further exploitation allows users to bypass the system restrictions and open a PowerShell window. Enumeration of the file system reveals a folder which contains a profile for an application called `Remote Desktop Plus`. This profile can be loaded in the application and the password in this profile can be extracted by using a second application called `BulletsPassView`. The extracted password can be used to start a session as the `admin` user and further bypass of the User Access Controls in place allows attackers to read the root flag.
Machine Matrix
