# HTB-Expressway  This machine have only port 22, this look very strange. I scan with udp and have port 500  I search google and have [this link](https://book.hacktricks.wiki/en/network-services-pentesting/ipsec-ike-vpn-pentesting.html). It is show me about IPsec and how to pentest https://angelica.gitbook.io/hacktricks/network-services-pentesting/ipsec-ike-vpn-pentesting First i will scan for IPsec VPN Services.  After scan i got some information: * IKE (Internet Key Exchange) service is active * XAUTH (Extended Authentication) support - usually uses username/password * Supports Dead Peer Detection v1.0 Let’s identify VPN Vendor & Configuration.  I get the ike@expressway.htb and know the domain is expressway.htb.→ Add these to /etc/hosts I extract VPN Group Name & Hash but this one is PSK.  I use psk-crack to crack the hash and i get the password for ike@expressway.htb:freakingrockstarontheroad  I verified the cracked PSK by running `ike-scan --psk='freakingrockstarontheroad' 10.10.11.87` the gateway returned a Main Mode Handshake, confirming the PSK is valid.  I ssh by account ike and get user flag  There is no sudo permissions here. ike in group proxy so i check permission from proxy  Let’s check out /var/spool/squid. I found hostname internal offramp.expressway.htb blocked by proxy  I check sudo version and find the [CVE-2025-32462](https://www.exploit-db.com/exploits/52354)  With the hostname offramp.expressway.htb and parameters -h i can have root permission