Hack The Box : Expressway

Hi guys.

Today I will do a simple writeup on the Hack The Box machine which is now retired named 'Expressway'. It is an Easy difficulty machine. I did this box during active period and since it is retired, I decided to put it here.

1) First step is to always nmap the box to search for open ports. the usual command that I use is nmap -sS -sV -sC -o <name of file>.txt <ip>


Initial scan shows nothing. In this case, it is always good to check UDP ports as well.

2) Scanning for UDP ports


Now we see some open port. From a quick Google search, it is found that port 500 is for IPSec.

"IPsec is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions."

Upon further research, I stumbled upon a useful blog on how to exploit IPSec.


The blog explain about basic info on IPSec and how to approach it.

3) Using ike-scan to get PSK.


Now I got the PSK. Time to crack it.

4) Cracking PSK.


5) Using the cracked PSK as SSH credential. We already know the user ike@expressway.htb from ike-scan. We can use the cracked credential and user found for SSH login.


Now we managed to login as ike. 

6) Running sudo -l to check for priv but nothing. Checking sudo version for potential exploit on version.



Found the current version of sudo is vulnerable.

7) Set the necessary permission and run it. BOOM you are now root.  



As per the description on the box, it is an Easy box. Much easier than my previous writeup for Dog. Straightforward and easy to understand on what are the exploit and how to exploit it. That's it for today. Peace.











Comments

Post a Comment

Popular posts from this blog

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

Image
Hi All, Today I will share POC on vulnerability found during pentest. As per the title, I recently found SQL Injection vulnerability on a thick client.  To read more about thick client, click here :  https://techterms.com/definition/thickclient Thick clients, also called heavy clients, are full-featured computers that are connected to a network.  While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive.   Exploit Title:   Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Details & Description :   SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly pl...
Read more

Setting up MobSF in Ubuntu 18.04

Image
Hi guys, It's been a while since I last updated the blog. Been busy. So, for today I will be giving guide on how to setup MobSF in Ubuntu 18.04 . There is a lot of guide out there about how to setup MobSF. I'm here to give out step by step guide to set it up as per my own experience. The main reason of using Ubuntu 18.04 is because it has a built-in Python 3.6 and pip3 version 9.0.1 which is the requirements to setup MobSF. It's pretty much simplify the process of setting up MobSF. *Note that this is a guide to setup MobSF for static analysis. For dynamic analysis, you can refer to MobSF page in github. MobSF also known as Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing. Can further read about MobSF here:  https://github.com/MobSF/Mobile-Security-Framework-MobSF For Ubuntu 18.04 can be downloaded ...
Read more

Cert-Fixer : Simplify your CA certificates installation

Image
Hi guys, It's me again. Today I'm writing to share on a module which would help starts your journey in  Mobile Application Penetration Testing.  As of year 2025, most of the application would require at least Android 10 version. That means most of the old phone you have would be out from being converted into a testing device. The thing about older android version is that, it is much easier to install a user certificate. Easier way to install user certificate means easier way to setup your Android testing device. Starting from Android 11 , the setup become much harder. You can read further below. https://httptoolkit.com/blog/android-11-trust-ca-certificates/ Below blog is the way that I used (super tedious) before to install a user certificate as root level. https://medium.com/@lightbulbr/install-burp-ca-as-a-system-level-trusted-ca-android-11-rooted-physical-device-5542fe96345f For testing purpose, we would need Burpsuite certificate to be installed as root level. Lucky for ...
Read more