HackTheBox Expressway Writeup
HackTheBox Expressway 是一台简单难度的 Linux 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。
htb expressway
初步枚举


搜索发现没有可利用漏洞
UDP扫描

漏洞利用
echo -e "/usr/share/seclists/Passwords/Leaked-Databases/NordVPN.txt" > groups.txt

-A 使用主动模式(为了获取 PSK 哈希进行破解)
-M 以多行格式显示输出(便于查看完整的握手信息)
—id=@groups.txt 指定身份标识,并从文件读取
-P(f) 我们可以写在这个文件,不填写就直接输出stdout

破解文件得到密码freakingrockstarontheroad
立足点

成功利用账号密码登录
提升权限
运行linpeas.sh看到

sudo -V得到1.9.17
查看网站找到此文章
总而言之就是要找到一个主机
查看id发现我们是proxy组。那我们看看proxy能做什么特殊的事情
find / -group proxy 2>/dev/null

我们查看access的内容,根据经验,如果有主机应该会包含htb

我们尝试一下这个主机 offramp.expressway.htb

可以看到可以使用root
HTB expressway
Initial Enumeration


Search reveals no exploitable vulnerabilities.
UDP Scanning

Exploitation
echo -e "/usr/share/seclists/Passwords/Leaked-Databases/NordVPN.txt" > groups.txt

-A Use active mode (to obtain PSK hash for cracking)
-M Display output in multi-line format (to view complete handshake information)
—id=@groups.txt Specify identity identifier and read from file
-P(f) We can write to this file; if not specified, output goes directly to stdout
Found ike@expressway.htb

Cracked file yields password freakingrockstarontheroad
Foothold

Successfully logged in using the obtained credentials
Privilege Escalation
Running linpeas.sh reveals

sudo -V shows version 1.9.17
Found this article on the website
In summary, the key is to find a host.
Checking id reveals we are in the proxy group. Let’s see what special permissions the proxy group has.
find / -group proxy 2>/dev/null

We examine the contents of access; based on experience, if a host exists, it should contain htb.

We try this host offramp.expressway.htb

We can see that root access is possible.