Post

Expressway

A TCP scan shows only SSH, but a UDP scan reveals an IKE/IPsec VPN and an unauthenticated TFTP server; the TFTP config leaks a username, an IKE Aggressive Mode scan leaks the Pre-Shared Key hash, and cracking it offline yields an SSH password reused for the user flag.

Expressway

Overview

Expressway is an easy-difficulty Linux box whose entire foothold lives on UDP. A standard TCP scan finds only OpenSSH and looks like a dead end. Scanning UDP surfaces an IKE/IPsec VPN on 500/udp and an unauthenticated TFTP server on 69/udp. TFTP hands over a Cisco router config containing a username, the IKE service is misconfigured for Aggressive Mode (which leaks a crackable Pre-Shared Key hash), and the cracked PSK has been reused as the SSH password. This post covers recon through the user flag.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Enumeration-dominant: UDP scanning reveals IKE/IPsec and TFTP, an Aggressive Mode PSK-hash crack and password reuse for SSH — realistic networking misconfig with no CVE.

Recon

PortServiceNotes
22/tcpOpenSSH 10.0p2Debian, no creds — dead end
500/udpisakmp (IKE)open, IPsec VPN
69/udptftpopen|filtered, no auth

A TCP scan shows only SSH:

1
2
nmap --open -p- 10.10.10.X
nmap -p 22 -sV -sC -Pn 10.10.10.X

22/tcp open ssh OpenSSH 10.0p2 Debian — and with no credentials, that goes nowhere. The interesting surface is on UDP, so scan there next:

1
sudo nmap -sU --top-port=20 10.10.10.X
500/udp (isakmp) comes back open and 69/udp (tftp) **openfiltered**. TFTP is worth enumerating with the tftp-enum script:
1
sudo nmap -sU -p 69 --script=tftp-enum.nse 10.10.10.X

The script reports a file named ciscortr.cfg sitting on the TFTP server.

Enumeration

TFTP requires no authentication by default, so the config file is simply downloadable:

1
tftp 10.10.10.X -c get ciscortr.cfg

Reading it surfaces two useful facts: a user account named ike, and the target hostname expressway. The rest is routine router config for various networks and interfaces.

1
2
username ike password [redacted]
hostname expressway

500/udp is the Internet Key Exchange (IKE) service, the key-negotiation component of the IPsec VPN framework. The right tool to footprint it is ike-scan. A plain probe shows how the VPN is configured:

1
ike-scan -M 10.10.10.X

The handshake comes back with Auth=PSK, Enc=3DES, Hash=SHA1 — the VPN authenticates with a Pre-Shared Key. That is the opening: an IKE Aggressive Mode exchange leaks a hash derived from the PSK before authentication completes, and that hash can be cracked offline.

Foothold

1 — Capture the PSK hash with an Aggressive Mode scan. ike-scan -A forces Aggressive Mode and --pskcrack writes the leaked PSK hash to a file:

1
ike-scan -M -A --pskcrack=k.hash 10.10.10.X

The output also reveals the VPN identity ([email protected]) and writes k.hash — a string of the form <hash>:<salt...> ready for an offline dictionary attack.

2 — Crack the PSK offline. No further interaction with the server is needed; the hash is cracked entirely locally:

1
hashcat k.hash /usr/share/wordlists/rockyou.txt

It falls to a rockyou.txt entry: freakingrockstarontheroad.

3 — SSH in as ike. The cracked PSK has been reused as the login password for the ike user found earlier in ciscortr.cfg:

User flag

With a shell as ike, the user flag is in the home directory:

1
cat /home/ike/user.txt   # [redacted]

Foothold complete: UDP enumeration to find IKE/TFTP, an unauthenticated config leak for the username, an Aggressive Mode PSK crack for the password, and password reuse to SSH in.

Privilege escalation is left as an exercise — this post stops at user.

This post is licensed under CC BY 4.0 by the author.