Escape | VulnLab — Ever Heard of Windows Kiosk Mode? No? Well, It’s Time to Learn!
1 min read
Summary
In a new series of blog posts, Maverick aims to guide readers through cracking the vulnerabilities in each of the machines in VulnLab, a self-hosted penetration testing environment for players to practice their ethical hacking skills.
In this episode, Maverick discovered a Windows Kiosk machine (10.10.66.176) with no password required for RDP and an open Edge browser.
There are many ways to solve this machine, but due to the level of complexity, Maverick has chosen an ‘easy and effective way’ to get the job done, while learning some new techniques.
The machine is run as an administrator with UAC (User Account Control) enabled.
The attacker needs to bypass UAC to take full control – this is achieved by renaming cmd.exe to msedge.exe, so that it executes via the Edge browser.
This kind of social engineering technique is completely valid in a red teaming scenario.
The post concludes with a summary of the attack path and a call to action to follow the author on LinkedIn and Twitter and respect him on Hack The Box.