The following post shows some possible ways to hack and gain root on VulnVPN. In these examples VulnVPN is based at 192.168.0.10 and the attacking box/client is 192.168.0.11.
Attacking the VPN Server
The first few steps involve finding the listening services. As it’s a VPN image, I’ve performed a single scan on UDP port 500 from which the result can be seen in the following screenshot.
To keep this thorough I’ve also performed a full TCP port scan although, as expected, only the open port is 81. This is used to host a help page and is out of scope for testing.
Using ike-scan it’s possible to determine that the host is running an IKE based VPN in aggressive mode, from which we can basically perform an offline attack on the hash to return the unencrypted PSK. More information on this attack can be found here.
It’s then possible to use a program such as psk-crack to perform dictionary or brute-force attacks on the hash. From the following screenshot it is evident to see that the clear text PSK value is 123456.
If you’re using the client config files supplied, you’ll need to enter the PSK into the ipsec.secrets file (as follows).
Before attempting to connect to the host you’ll need to perform a service restart i.e. /etc/init.d/ipsec restart.
It’s then possible to initiate the VPN connection using the command as shown in the following screenshot.
If the connection has been successful you’ll see ‘IPsec SA established’ message as highlighted above. If things don’t go as planned, the following may help:
- 022 “vpn”: We cannot identify ourselves with either end of this connection – This means that your IP address is not the same as specified in the ipsec.conf file. Either change your address, or change the value in the file (the default for the client is set as 192.168.0.11).
- 021 no connection named “xxxx” – The name of the connection is not as specified in ipsec.conf, i.e. vpn (the default for this challenge).
- STATE_AGGR_I1: INVALID_HASH_INFORMATION – This error indicates that the hash information in ipsec.secrets is incorrect. Ensure you enter the PSK as previously obtained.
After any changes make sure you restart the ipsec services.