Key Exploitation Points
Default User Configuration:
WSL allows setting the default user to root, granting administrative privileges.
Network Access:
Root access enables opening any port, facilitating bind or reverse shells.
Filesystem Access:
WSL’s filesystem integration allows exploration and potential data exfiltration.
Step-by-Step Exploitation Guide
1. Verifying WSL Installation
Confirm WSL is installed and configured:
This will list installed distributions and their states.
2. Changing the Default User to Root
Gain root privileges by changing the default user:
C:\path\to\your\distribution.exe config --default-user root
Example for Ubuntu:
C:\Ubuntu.exe config --default-user root
3. Verifying Root Access
After setting the default user to root, confirm by running:
Output: Should return root.
4. Establishing a Bind or Reverse Shell
Once you have root access, use Python to establish a shell:
Bind Shell
Opens a port for incoming connections:
Replace PORT with the desired listening port.
Reverse Shell
Connects back to an external listener:
Replace YOUR_IP and YOUR_PORT with the attacker's IP and port.
5. Accessing the WSL Filesystem
The WSL filesystem can be explored directly from Windows:
This location contains the root filesystem of the WSL environment.
6. Alternative Access via bash.exe
Access WSL through bash.exe:
Run bash.exe to enter the WSL environment directly.
Mitigation Strategies
To secure systems against unauthorized WSL exploitation:
1. Limit WSL Use
Restrict access to WSL, especially for non-administrative users on sensitive systems.
Ensure the default user cannot be set to root without administrative approval.
3. Network Security
Monitor and restrict ports opened by WSL to prevent unauthorized bind or reverse shells.
4. Audit WSL Activity
Regularly review WSL configurations and logs for signs of unauthorized changes or suspicious activity.
5. Keep Systems Updated
Ensure both Windows and WSL are up-to-date with the latest security patches.
