0xdfExpressway from HackTheBox features IKE Aggressive Mode identity leaking and PSK cracking for SSH access. Privesc is CVEs in sudo. I'll show both hostname spoofing to bypass host-based sudoers rules, and chroot abuse via a malicious NSS library.
HTB: Expressway
Expressway is a Linux box with only SSH and an IKE VPN service on UDP. I’ll use ike-scan in aggressive mode to leak the VPN identity and capture a pre-shared key hash, which cracks quickly with hashcat. Connecting to the IPSEC VPN doesn’t provide any additional attack surface, but the PSK works for SSH access. For privilege escalation, I’ll show exploitation of two different CVEs in sudo. In Beyond Root, I’ll look at the sudo config that allowed one of the exploits and show how to connect to the IPSec VPN with strongSwan.