HackTheBox - ExpressWay

The video walks through the Hack The Box "ExpressWay" machine, illustrating how a seemingly simple box can be compromised by leveraging old, overlooked vulnerabilities. The presenter starts with a UDP Nmap scan, discovers the IKE service on port 500, and uses aggressive mode to extract a hash that is later cracked with Hashcat, yielding the SSH credentials for the user "ike". Key insights include the challenges of UDP scanning, the value of aggressive IKE handshakes for credential harvesting, and the discovery of an exposed TFTP server that contains a Cisco router configuration file. The config file confirms the username "ike" and hints at the IKE pre‑shared key, while the SSH login reveals a vulnerable version of the "pseudo" daemon (1.9.17), which is susceptible to two separate privilege‑escalation bugs. Notable moments feature the line "IKE at expressway.htb" that guides the username guess, the use of the "pseudo -R" exploit script that drops the attacker directly to a root shell, and a detailed explanation of the pseudo host‑option flaw that allows impersonation of another host to bypass intended restrictions. The demonstration underscores the importance of scanning UDP services, revisiting legacy exploits, and hardening misconfigured daemons. For penetration testers and defenders alike, the case shows how quickly an outdated utility can provide a full system compromise, reinforcing the need for timely patching and thorough service enumeration.