Expressway
A TCP scan shows only SSH, but a UDP scan reveals an IKE/IPsec VPN and an unauthenticated TFTP server; the TFTP config leaks a username, an IKE Aggressive Mode scan leaks the Pre-Shared Key hash, and cracking it offline yields an SSH password reused for the user flag.
Overview
Expressway is an easy-difficulty Linux box whose entire foothold lives on UDP. A standard TCP scan finds only OpenSSH and looks like a dead end. Scanning UDP surfaces an IKE/IPsec VPN on 500/udp and an unauthenticated TFTP server on 69/udp. TFTP hands over a Cisco router config containing a username, the IKE service is misconfigured for Aggressive Mode (which leaks a crackable Pre-Shared Key hash), and the cracked PSK has been reused as the SSH password. This post covers recon through the user flag.
Machine Matrix
Enumeration-dominant: UDP scanning reveals IKE/IPsec and TFTP, an Aggressive Mode PSK-hash crack and password reuse for SSH — realistic networking misconfig with no CVE.
Recon
| Port | Service | Notes |
|---|---|---|
| 22/tcp | OpenSSH 10.0p2 | Debian, no creds — dead end |
| 500/udp | isakmp (IKE) | open, IPsec VPN |
| 69/udp | tftp | open|filtered, no auth |
A TCP scan shows only SSH:
1
2
nmap --open -p- 10.10.10.X
nmap -p 22 -sV -sC -Pn 10.10.10.X
22/tcp open ssh OpenSSH 10.0p2 Debian — and with no credentials, that goes nowhere. The interesting surface is on UDP, so scan there next:
1
sudo nmap -sU --top-port=20 10.10.10.X
500/udp (isakmp) comes back open and 69/udp (tftp) **open | filtered**. TFTP is worth enumerating with the tftp-enum script: |
1
sudo nmap -sU -p 69 --script=tftp-enum.nse 10.10.10.X
The script reports a file named ciscortr.cfg sitting on the TFTP server.
Enumeration
TFTP requires no authentication by default, so the config file is simply downloadable:
1
tftp 10.10.10.X -c get ciscortr.cfg
Reading it surfaces two useful facts: a user account named ike, and the target hostname expressway. The rest is routine router config for various networks and interfaces.
1
2
username ike password [redacted]
hostname expressway
500/udp is the Internet Key Exchange (IKE) service, the key-negotiation component of the IPsec VPN framework. The right tool to footprint it is ike-scan. A plain probe shows how the VPN is configured:
1
ike-scan -M 10.10.10.X
The handshake comes back with Auth=PSK, Enc=3DES, Hash=SHA1 — the VPN authenticates with a Pre-Shared Key. That is the opening: an IKE Aggressive Mode exchange leaks a hash derived from the PSK before authentication completes, and that hash can be cracked offline.
Foothold
1 — Capture the PSK hash with an Aggressive Mode scan. ike-scan -A forces Aggressive Mode and --pskcrack writes the leaked PSK hash to a file:
1
ike-scan -M -A --pskcrack=k.hash 10.10.10.X
The output also reveals the VPN identity ([email protected]) and writes k.hash — a string of the form <hash>:<salt...> ready for an offline dictionary attack.
2 — Crack the PSK offline. No further interaction with the server is needed; the hash is cracked entirely locally:
1
hashcat k.hash /usr/share/wordlists/rockyou.txt
It falls to a rockyou.txt entry: freakingrockstarontheroad.
3 — SSH in as ike. The cracked PSK has been reused as the login password for the ike user found earlier in ciscortr.cfg:
1
ssh [email protected]
User flag
With a shell as ike, the user flag is in the home directory:
1
cat /home/ike/user.txt # [redacted]
Foothold complete: UDP enumeration to find IKE/TFTP, an unauthenticated config leak for the username, an Aggressive Mode PSK crack for the password, and password reuse to SSH in.
Privilege escalation is left as an exercise — this post stops at user.