The idea behind VulnVPN is to exploit the VPN service to gain access to the sever and ‘internal’ services. Once you have an internal client address there are a number of ways of gaining root (some easier than others).
Client VPN Configuration
I have created a VulnVPN client image (x64) that has the relevant settings in place, otherwise it’s basically a standard BT5r3 image. All you’ll need to do is populate the /etc/ipsec.secrets file once you have the PSK and then restart the relevant ipsec services. The IP of the client has been set to 192.168.0.11. The username/password is the standard BT of root/toor. Alternatively you can download the client config files and use your own host, as described below.
I have created/uploaded the relevant files which can be obtained from the compressed file here. You’ll need to configure Openswan/xl2tpd on your system, if you’re using an Ubuntu based Linux variant you can follow the below steps – please note that I’ve used Backtrack 5r3 for all client testing (mentioned as I know it works well):
1. apt-get install openswan xl2tpd ppp
2. Copy the downloaded client files into the following locations:
3. VulnVPN is located at 192.168.0.10 and the client configuration files state that the client IP address is 192.168.0.11. If you want your client to have a different address ensure you change the relevant settings in /etc/ipsec.conf.
4. To establish a VPN connection run the following command: ipsec auto –up vpn (that’s two hyphens before up, they get lost in the post formatting). If you’re viewing the logs you should see something along the lines of ‘IPsec SA established’.
5. If the connection succeeds (remember you’ll need to obtain the PSK before this is possible) you can run the ‘start-vpn.sh’ script (included with client config files download) or run the following command to initialise the PPP adaptor: echo “c vpn” > /var/run/xl2tpd/l2tp-control
6. Run ip list or ifconfig and you should see that a new PPP adapter has been created and assigned an IP address (this may not be instant, give it a few seconds). If the adaptor fails to come up run the script/command again – I’ve come across this issue a few times.
Note: If you change your configuration/IP settings etc you’ll need to reload the relevant configuration files i.e. /etc/init.d/ipsec restart and/or /etc/init.d/xl2tpd restart
I realise that VPN’s can be very troublesome (setting this challenge up was bad enough), so I have allowed access to auth and ufw logs. These should help highlight issues you may be experiencing and can be found at http://192.168.0.10:81 (note port 81). Please note that hacking this page and associated scripts are not part of the challenge, rather they have been provided for assistance.
A useful config reference can also be found here:
- Architecture: x86
- Format: VMware (vmx & vmdk) compatibility with version 4 onwards
- RAM: 1GB
- Network: NAT – Static IP 192.168.0.10 (no G/W or DNS configured)
- Extracted size: 1.57GB
- Compressed (download size): 368MB – 7zip format – 7zip can be obtained from here
Download VulnVPN from -HERE-
MD5 Hash of VulnVPN.7z: 9568aa4c94bf0b5809cb0a282fffa5c2
Download Client files from -HERE-
MD5 Hash of client.7z: e598887f2e4b18cd415ea747606644f6
Download x64 Client VM Image from -HERE- (it’s big!)
MD5 Hash of client.7z: e57253a449cab4563bfa74852e1d5b2c
As per usual, I shall add a related solutions post shortly. Until then, enjoy 🙂