Expressway is a Linux box with only SSH and an IKE VPN service on UDP. I’ll use ike-scan in aggressive mode to leak the VPN identity and capture a pre-shared key hash, which cracks quickly with hashcat. Connecting to the IPSEC VPN doesn’t provide any additional attack surface, but the PSK works for SSH access. For privilege escalation, I’ll show exploitation of two different CVEs in sudo. In Beyond Root, I’ll look at the sudo config that allowed one of the exploits and show how to connect to the IPSec VPN with strongSwan.

0xdf hacks stuff

A walkthrough of the HackTheBox machine 'Expressway', a Linux box exposing SSH and an IKE VPN service. The attack chain starts with ike-scan in aggressive mode to leak the VPN identity and capture a pre-shared key hash, which hashcat cracks in seconds. The cracked PSK doubles as SSH credentials. For privilege escalation, two sudo CVEs are demonstrated: CVE-2025-32463 (chroot option loads attacker-controlled nsswitch.conf and malicious shared library) and CVE-2025-32462 (hostname spoofing via -h flag bypasses sudoers host restrictions). A bonus section covers connecting to the IPSec VPN with strongSwan and examining the sudoers config that enabled the exploits.

HTB: Expressway