{"id":554,"date":"2026-01-01T21:56:21","date_gmt":"2026-01-01T21:56:21","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=554"},"modified":"2026-01-01T21:57:40","modified_gmt":"2026-01-01T21:57:40","slug":"expressway-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=554","title":{"rendered":"Expressway- Hackthebox lab"},"content":{"rendered":"\n

I began this lab by running Nmap<\/strong> to identify open TCP and UDP ports on the target system. During the scan, I noticed that UDP port 500<\/strong> was open, which immediately suggested the presence of an IPsec\/IKE VPN<\/strong> service.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Given the open UDP 500 port, I decided to enumerate the service for common IPsec\/IKE weaknesses. I used ike-scan<\/strong> to probe the service and successfully received an Aggressive Mode<\/strong> response. This response revealed both a domain name and a valid username: ike<\/code>.<\/p>\n\n\n\n

Unfortunately, I forgot to capture a screenshot of this output. Afterward, I downgraded to the Hack The Box free tier, which meant I no longer had access to machine resets, preventing me from re-running the scan successfully. Lesson learned\u2014always take screenshots immediately. I may update this post later if I\u2019m able to reproduce the output.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Despite this, I was able to exfiltrate the IKE handshake<\/strong> and save it to a file for offline analysis.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Cracking the Pre-Shared Key<\/strong><\/p>\n\n\n\n

Using the captured handshake, I ran psk-crack<\/strong>, which successfully recovered the pre-shared key<\/strong> associated with the ike<\/code> user. With valid credentials in hand, I attempted an SSH login and was able to authenticate successfully as the ike<\/code> user.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Privilege Escalation Enumeration<\/p>\n\n\n\n

Once logged in, I transferred linPEAS<\/strong> to the target system and ran it to enumerate potential privilege escalation vectors. One result immediately stood out: the installed sudo version<\/strong> appeared to be vulnerable.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I researched local privilege escalation exploits for the identified sudo version and found a promising entry on Exploit Database<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exploit Title:<\/strong> Sudo chroot 1.9.17 \u2013 Local Privilege Escalation
Exploit Author:<\/strong> Stratascale
Date:<\/strong> Mon, 30 Jun 2025
CVE:<\/strong> CVE-2025-32463
Affected Versions:<\/strong> Sudo 1.9.14 to 1.9.17 (inclusive)<\/p>\n\n\n\n

Vulnerability Details<\/p>\n\n\n\n

Background<\/h3>\n\n\n\n

This vulnerability abuses sudo\u2019s -R<\/code> (--chroot<\/code>) option. Although the option is intended to allow execution within a user-specified root directory (when permitted by sudoers), a change introduced in sudo 1.9.14 caused paths to be resolved inside the user-controlled chroot<\/strong> before<\/em> sudoers evaluation was complete.<\/p>\n\n\n\n

An attacker can exploit this behavior by crafting a malicious nsswitch.conf<\/code> inside the chroot environment, tricking sudo into loading an arbitrary shared library and ultimately executing code as root.<\/p>\n\n\n\n

The issue was reverted in sudo 1.9.17p1, and the chroot feature has since been deprecated and is slated for removal in a future release due to its inherent risk.<\/p>\n\n\n\n

Exploit Overview<\/h3>\n\n\n\n

The exploit works by:<\/p>\n\n\n\n

    \n
  • Spawning a root shell.<\/li>\n<\/ul>\n\n\n\n
      \n
    • Creating a temporary chroot directory.<\/li>\n<\/ul>\n\n\n\n
        \n
      • Injecting a malicious nsswitch.conf<\/code>.<\/li>\n<\/ul>\n\n\n\n
          \n
        • Compiling a rogue libnss<\/code> shared object.<\/li>\n<\/ul>\n\n\n\n
            \n
          • Triggering sudo with the -R<\/code> option to load the malicious library.<\/li>\n<\/ul>\n\n\n\n

            Since the system was vulnerable, I copied and executed the proof-of-concept exploit script.<\/p>\n\n\n\n

            \"\"<\/figure>\n\n\n\n

            Result<\/h3>\n\n\n\n

            Running the exploit successfully escalated my privileges to root<\/strong>, completing the box.<\/p>\n","protected":false},"excerpt":{"rendered":"

            I began this lab by running Nmap to identify open TCP and UDP ports on the target system. During the scan, I noticed that UDP port 500 was open, which immediately suggested the presence of an IPsec\/IKE VPN service. Given the open UDP 500 port, I decided to enumerate the […]<\/p>\n","protected":false},"author":1,"featured_media":565,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-554","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=554"}],"version-history":[{"count":1,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/554\/revisions"}],"predecessor-version":[{"id":564,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/554\/revisions\/564"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/565"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}