Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Pritunl VPN is a distributed VPN service. This product is open source product, making it easier to audit as well.

When a user imports a VPN configuration file to the client, it is at %APPDATA%\pritunl\profiles\[profile_ID].ovpn. While doing this, it attempts to sanitize malicious characters from the file then writes it to %PROGRAMDATA%\Pritunl\[profile_ID].ovpn.

Here is the kicker: ANY user can create new configurations files in %PROGRAMDATA%\Pritunl\[profile_ID].ovpn with the default security permissions. As a result, an attacker can add malicious directives into the configuration file. Once openvpn is executed, it runs it with the security-script 1 flag, preventing external commands from being executed. Good work on the defense!

There is one oversight though: the logging directive can be set in the configuration file. Using this, the output of a specified file can be written to as SYSTEM, with partially controllable contents. Arbitrary file write primitive!

Using the arbitrary file write with limited control over the file, code execution can be gained pretty easily. What is the best primitive for this? ipconfig is ran without an absolute path. This means that if we add ipconfig.bat to the execution path, it will execute this first! Neat trick for a relative path.

Overall, this is a good article on privilege escalation and how misunderstanding dependencies can lead to problems.