HTB Expressway

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/03/07/htb-expressway.html
• Blog Title: HTB: Expressway
• Suggested Section: Network Services Pentesting -> 500/udp - Pentesting IPsec/IKE VPN (Aggressive Mode PSK cracking with ike-scan/hashcat) AND Linux Privilege Escalation -> Sudo (add/update pages for CVE-2025-32463 --chroot/NSS injection and CVE-2025-32462 hostname spoofing -h bypass)

🎯 Content Summary

This post is a technical walkthrough of the Hack The Box machine Expressway (Linux). The exposed remote attack surface is essentially SSH (TCP/22) and IKE/IPsec (UDP/500), with a later-discovered TFTP service (UDP/69) that is hard to fingerprint with nmap and offers no directory listing. Initial access is achieved by abusing IKE Aggressive Mode to leak the VPN identity and capture a crackable IKE-PSK (SHA1) handshake, cracking it with hashcat (mode 54...

🔧 Technical Details

IKE Aggressive Mode reconnaissance can leak a VPN identity pre-authentication because the server must receive the identity early to select the correct PSK when multiple groups/users exist; unlike Main Mode (6 packets) where identity is encrypted later, Aggressive Mode (3 packets) sends identity in the first exchange. Using ike-scan -A plus --pskcrack=<file> captures an IKE-PSK SHA1 handshake that can be cracked offline with hashcat (auto-detected as mode 5400) to recover the PSK; if credentials are reused, the PSK may also authenticate to other services like SSH.

🎁 PoC / CVE-2025-32463: When sudo --chroot enters an attacker-controlled root before policy evaluation completes (affected 1.9.14–1.9.17), glibc can read an attacker-supplied /etc/nsswitch.conf inside the chroot and load attacker-chosen NSS modules as root. By setting passwd: /NAME in the chrooted nsswitch.conf</code...

🤖 Agent Actions

Summary

• Added an Aggressive Mode identity-leak note with ike-scan -A and hashcat -m 5400 cracking workflow in the IPsec/IKE pentesting page, plus PSK reuse reminder and blog reference.
• Added a concise CVE-2025-32462 host-based sudoers bypass section (conditions, sudoers example, sudo -h usage) in the Linux privilege escalation page and appended the blog reference.

Files Updated

• src/network-services-pentesting/ipsec-ike-vpn-pentesting.md
• src/linux-hardening/privilege-escalation/README.md

Notes

• Tests not run (doc-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/03/07/htb-expressway.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 500/udp - Pentesting IPsec/IKE VPN (Aggressive Mode PSK cracking with ike-scan/hashcat) AND Linux Privilege Escalation -> Sudo (add/update pages for CVE-2025-32463 --chroot/NSS injection and CVE-2025-32462 hostname spoofing -h bypass)".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0