Summary

Escape is a Windows box that exposes only RDP (3389). The RDP session drops you into a locked-down kiosk account (KioskUser0) meant for a "Conference Display" app. The box is solved entirely through a kiosk breakout: abusing Edge's address bar to browse the local filesystem, bypassing an application allowlist by renaming binaries, then finding a third-party RDP client (Remote Desktop Plus) with saved-but-masked credentials for the admin account. Those credentials are recovered with a Nirsoft password-reveal tool, and admin turns out to be a local administrator, giving full SYSTEM-level access after a UAC prompt.

Reconnaissance

Only one port open - RDP:

nmap -A -Pn <machine-ip> -oA nmap