Expressway HackTheBox Easy Linux Box Writeup

Overview

Expressway is an Easy-rated Linux machine on HackTheBox that takes you off the beaten path of typical web enumeration and into the world of VPN protocols. The box centers around IKE/ISAKMP, the protocol behind IPsec VPNs and chains a PSK hash crack with a recent sudo privilege escalation vulnerability. A refreshingly different box compared to the usual web app fare.

Enumeration

An initial Nmap TCP scan reveals only one open port: SSH (22) running OpenSSH 10.0p2 on Debian. Standard web enumeration comes up completely empty, which is the first hint that this box lives somewhere else entirely.

Switching to a UDP scan opens things up considerably:

• 69/udp — TFTP
• 500/udp — ISAKMP (Internet Security Association and Key Management Protocol)
• 4500/udp — NAT-T IKE (NAT traversal for IPsec)

The presence of ISAKMP on port 500 is the key signal here. This is the handshake protocol used to negotiate IPsec VPN connections, and it's a relatively uncommon attack surface in HTB boxes however it is a great learning opportunity.

IKE Enumeration with ike-scan

The right tool for ISAKMP enumeration is ike-scan. Running it in Aggressive Mode against the target returns a full handshake, leaking two important pieces of information:

• The domain: expressway.htb
• A username/identity: [email protected]

Aggressive Mode IKE is notoriously verbose unlike Main Mode, it transmits the identity in cleartext and also returns a hash of the Pre-Shared Key (PSK), making it vulnerable to offline cracking.

Running ike-scan again with the -P flag dumps the raw PSK parameters to a file.

Cracking the PSK

With the PSK hash captured, psk-crack (which ships alongside ike-scan) can be pointed at a wordlist. Running it against rockyou.txt cracks the hash in under 20 seconds, revealing the pre-shared key.

This gives us valid SSH credentials for the ike user, and logging in yields the user flag.

Privilege Escalation — CVE-2025-32463

Post-exploitation enumeration with LinPEAS doesn't surface anything obvious at first glance. sudo -l prompts for a password rather than revealing any passwordless rules.

The key detail is the sudo version: 1.9.17, which is vulnerable to CVE-2025-32463 a relatively recent privilege escalation bug. A working proof-of-concept is publicly available on GitHub.

Dropping the PoC into /tmp/ and executing it yields a root shell, and the root flag is collected.

Key Takeaways

• UDP scanning matters. A TCP-only scan would have left this box completely opaque. Always run a UDP scan, especially when TCP comes up nearly empty.
• IKE Aggressive Mode is a known weakness. Real-world VPN deployments that use PSK authentication with Aggressive Mode enabled are vulnerable to the exact same offline cracking attack demonstrated here. Main Mode with certificates is the secure alternative.
• Sudo version awareness. Checking the exact version of sudo (and other SUID binaries) during privilege escalation is a habit worth building

All in all, this box was a little infuriating because of the UDP scan (which embarrasingly took me eons to long to realize was the way forward). The sudo vulnerability also took me a very long time to find as it is quite an uncommon attack vector.