Platform: Hack The Box

Season: 9

Difficulty: Easy

OS: Linux

Date: 2025-10-27

Author: x4cc3

Executive Summary

Expressway is an Easy Linux machine with only UDP port 500 (ISAKMP/IPsec VPN) exposed. ike-scan in aggressive mode captures the PSK hash. Cracking reveals the SSH password. The sudo version is vulnerable to CVE-2021-3156 for root.

Recon — UDP Scan

Port Service
500/udp ISAKMP

UDP scan results

UDP scan results

Nmap scan

Nmap scan

Exploitation

PSK Hash Capture

IKE research

IKE research

PSK hash cracked

PSK hash cracked

sudo ike-scan -A 10.10.11.87 --id=test -P aggressive.txt
hashcat -m 5400 psk.txt /usr/share/wordlists/rockyou.txt

The cracked PSK was the SSH password.

Privilege Escalation