search

Windows Subsystem for Linux

With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse. - Warlockobama's tweetarrow-up-right

wsl whoami./ubuntun1604.exe config --default-user rootwsl whoamiwsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Binary bash.exe can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe

Alternatively you can explore the WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\

hashtag
Methodology

Check if bash and WSL exist

where /R c:\windows bash.exe

  • where: A Windows command-line utility used to locate files within the directory tree.

  • /R: This flag stands for Recursive. It tells the command to search the specified directory and all of its subdirectories.

  • c:\windows: The starting directory for the search.

  • bash.exe: The specific filename being searched for.

Check if you are root

Jump into WSL with bash

You can even find credentials in history files.

We can use PSexec to connect to machine.

PreviousUAC Bypass: Memory Injection (Metasploit)NextMisc

Last updated