HackTheBox Expressway Writeup

HackTheBox Expressway 是一台简单难度的 Linux 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。

htb expressway

初步枚举

image 47.png

image 48.png

搜索发现没有可利用漏洞

UDP扫描

image 49.png


漏洞利用

echo -e "/usr/share/seclists/Passwords/Leaked-Databases/NordVPN.txt" > groups.txt

image 50.png

-A 使用主动模式(为了获取 PSK 哈希进行破解)

-M 以多行格式显示输出(便于查看完整的握手信息)

—id=@groups.txt 指定身份标识,并从文件读取

-P(f) 我们可以写在这个文件,不填写就直接输出stdout

发现ike@expressway.htb

image 51.png

破解文件得到密码freakingrockstarontheroad


立足点

image 52.png

成功利用账号密码登录


提升权限

运行linpeas.sh看到

image 53.png

sudo -V得到1.9.17

查看网站找到此文章

总而言之就是要找到一个主机

查看id发现我们是proxy组。那我们看看proxy能做什么特殊的事情

find / -group proxy 2>/dev/null

image 54.png

我们查看access的内容,根据经验,如果有主机应该会包含htb

image 55.png

我们尝试一下这个主机 offramp.expressway.htb

image 56.png

可以看到可以使用root

HTB expressway

Initial Enumeration

image 47.png

image 48.png

Search reveals no exploitable vulnerabilities.

UDP Scanning

image 49.png


Exploitation

echo -e "/usr/share/seclists/Passwords/Leaked-Databases/NordVPN.txt" > groups.txt

image 50.png

-A Use active mode (to obtain PSK hash for cracking)

-M Display output in multi-line format (to view complete handshake information)

—id=@groups.txt Specify identity identifier and read from file

-P(f) We can write to this file; if not specified, output goes directly to stdout

Found ike@expressway.htb

image 51.png

Cracked file yields password freakingrockstarontheroad


Foothold

image 52.png

Successfully logged in using the obtained credentials


Privilege Escalation

Running linpeas.sh reveals

image 53.png

sudo -V shows version 1.9.17

Found this article on the website

In summary, the key is to find a host.

Checking id reveals we are in the proxy group. Let’s see what special permissions the proxy group has.

find / -group proxy 2>/dev/null

image 54.png

We examine the contents of access; based on experience, if a host exists, it should contain htb.

image 55.png

We try this host offramp.expressway.htb

image 56.png

We can see that root access is possible.