HackTheBox Expressway Writeup
A walkthrough of the HackTheBox 'Expressway' machine which is easy rated linux box. This write-up covers initial access, privilege escalation, and post-exploitation techniques.
HackTheBox Expressway Writeup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/expressway]
└─$ rustscan -r 0-65535 -a 10.129.22.209
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports faster than you can say 'SYN ACK'
[~] The config file is expected to be at "/home/dollarboysushil/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.22.209:22
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 16:00 EDT
Initiating Ping Scan at 16:00
Scanning 10.129.22.209 [4 ports]
Completed Ping Scan at 16:00, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:00
Completed Parallel DNS resolution of 1 host. at 16:00, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:00
Scanning 10.129.22.209 [1 port]
Discovered open port 22/tcp on 10.129.22.209
Completed SYN Stealth Scan at 16:00, 0.21s elapsed (1 total ports)
Nmap scan report for 10.129.22.209
Host is up, received echo-reply ttl 63 (0.19s latency).
Scanned at 2025-09-20 16:00:53 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
UDP Port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(dollarboysushil㉿kali)-[~/Documents/HTB_BOXES/expressway]
└─$ rustscan -r 0-65535 -a 10.129.6.80 --udp
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
You miss 100% of the ports you don't scan. - RustScan
[~] The config file is expected to be at "/home/dollarboysushil/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.6.80:500
Active Challenge
This challenge is currently active on HackTheBox.
In accordance with HackTheBox's content policy, this writeup will be made publicly available only after the challenge is retired. This approach maintains the integrity of active challenges while ensuring educational resources are available for learning purposes.
Secured
Content Access Required
Enter the password to unlock the full writeup content
This post is licensed under
CC BY 4.0
by the author.