JSON,a Windows box created by HackTheBox user Cyb3rb0b, was an overall easy difficulty box. The initial foothold was about finding the json de-serialization issue in ASP .net and getting an RCE with that and using that to get the user. Privilege Escalation was much more easier checking if the box was vurnable to juciy/rotten potato and we find it is and using that to get Root.
Registry,a Linux box created by HackTheBox user thek, was an overall medium to hard difficulty box.The inital enumeration expose a docker registry from where you can download an image which contain a ssh key for the user.SSH into the box we find nginx config which point us to bolt db. Cracking the password in bolt db we get access to bolt webserver and we can upload a ph0ny shell and get www-data user which have access to run restic backup as root. using that we can get root.
Heist,a Linux box created by HackTheBox user MinatoTW, was an overall easy to medium difficulty box.Leaking cisco password hash with that we can brute SIDs to get more Users and crack other password. At last we need to dump the process to get the password for administrator
Networked,a Linux box created by HackTheBox user guly, was an overall easy difficulty box. It had a backup.zip which was exposed and contain the code of upload code with which we were able bypass the upload and get the RCE and get shell as www-data. enumerating we see a cronjob using which we can get the user and later enumerating that user we find user can run changename.sh without password using which we can get root.
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a runAs specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient sudo privileges to run commands as root even if the runAs specification explicitly disallows root access as long as the ALL keyword is listed first in the runAs specification.
Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.