This article outlines a penetration testing experience on a VulnLab machine utilizing Kiosk Mode. The author showcases methods to gain access and escalate privileges, particularly through RDP and exploiting Microsoft Edge. The journey includes discovering sensitive files, using tools like BulletsPassView, and successfully bypassing User Account Control (UAC) to achieve SYSTEM-level access. Affected: VulnLab, Windows Kiosk Mode
Keypoints :
- The author starts a scan using Nmap on a specific IP address.
- Identified open RDP service for remote access.
- Access via a user account (KiosKUser0) with no password required.
- Used Microsoft Edge within the Kiosk environment to explore the file system.
- Found a sensitive file (profiles.xml) in the C: drive.
- Utilized BulletsPassView tool to uncover stored passwords.
- Executed a UAC bypass to gain admin access using PowerShell.
- The author successfully escalates privileges to SYSTEM level.
MITRE Techniques :
- TA0001 – Initial Access: Used RDP to access the system without credentials.
- TA0002 – Execution: Executed BulletsPassView.exe to reveal passwords.
- TA0004 – Privilege Escalation: Bypassed UAC using PowerShell commands.
- TA0005 – Defense Evasion: Renamed cmd.exe to circumvent restrictions.
- TA0040 – Impact: Achieved final access to the root.txt flag as SYSTEM.
Indicator of Compromise :
- [IP Address] 10.10.66.176
- [Executable] BulletsPassView.exe
- [File Path] C:_adminprofiles.xml
- [File Path] C:UsersKiosKUser0DownloadsBulletsPassView.exe
- [Domain] ESCAPE