--- # System prepended metadata title: HTB-Expressway tags: [HackTheBox] --- # HTB-Expressway ![image](https://hackmd.io/_uploads/HypAEI9Rge.png) This machine have only port 22, this look very strange. I scan with udp and have port 500 ![image](https://hackmd.io/_uploads/HJMXwLqAee.png) I search google and have [this link](https://book.hacktricks.wiki/en/network-services-pentesting/ipsec-ike-vpn-pentesting.html). It is show me about IPsec and how to pentest https://angelica.gitbook.io/hacktricks/network-services-pentesting/ipsec-ike-vpn-pentesting First i will scan for IPsec VPN Services. ![image](https://hackmd.io/_uploads/rkIUiUcCge.png) After scan i got some information: * IKE (Internet Key Exchange) service is active * XAUTH (Extended Authentication) support - usually uses username/password * Supports Dead Peer Detection v1.0 Let’s identify VPN Vendor & Configuration. ![image](https://hackmd.io/_uploads/SJE5s85Clx.png) I get the ike@expressway.htb and know the domain is expressway.htb.→ Add these to /etc/hosts I extract VPN Group Name & Hash but this one is PSK. ![image](https://hackmd.io/_uploads/BJjgCI5Rxl.png) I use psk-crack to crack the hash and i get the password for ike@expressway.htb:freakingrockstarontheroad ![image](https://hackmd.io/_uploads/rkqf1P5Cxe.png) I verified the cracked PSK by running `ike-scan --psk='freakingrockstarontheroad' 10.10.11.87` the gateway returned a Main Mode Handshake, confirming the PSK is valid. ![image](https://hackmd.io/_uploads/rJehgD5Axe.png) I ssh by account ike and get user flag ![image](https://hackmd.io/_uploads/rkcCev9Axe.png) There is no sudo permissions here. ike in group proxy so i check permission from proxy ![image](https://hackmd.io/_uploads/HJwPbv5Axg.png) Let’s check out /var/spool/squid. I found hostname internal offramp.expressway.htb blocked by proxy ![image](https://hackmd.io/_uploads/HJuhZDq0lx.png) I check sudo version and find the [CVE-2025-32462](https://www.exploit-db.com/exploits/52354) ![image](https://hackmd.io/_uploads/ryS6zw90xl.png) With the hostname offramp.expressway.htb and parameters -h i can have root permission ![image](https://hackmd.io/_uploads/rymZEP9Reg.png)