HackTheBox - Corporate (FIXED)
Key Takeaways
Exploits Agent Chat and discovers reflective error page in HackTheBox's Corporate challenge
Original Description
Sorry for the double upload. The last 45 seconds were missing from the first video.
00:00 - Introduction
01:00 - Start of nmap
02:45 - Playing with the Agent Chat, discovering we can send HTML then testing for XSS then seeing CSP (Content Security Policy) Stops us
06:20 - Testing for the ability to perform redirection via HTML via meta refresh
09:20 - Discovering the 404 error page has reflective XSS, but CSP Blocks us from running XSS on the page itself
10:15 - Finding one of the Analytics JavaScript Files allows for reflective injection, allowing us to insert javascript
13:00 - Having a Meta Redirect to the double reflective xss injection and stealing a cookie
22:10 - Logged into the SSO by replaying the cookie and testing password reset
29:00 - Getting a second session so we can test the file-sharing capability
37:10 - Creating a script that will enumerate users based upon the people directory, then test the welcome password
56:30 - Going over the internal nmap scan from the VPN
1:03:54 - Looking at the Mozilla directory, discovering there is a BitWarden plugin installed and the history indicates they may have a pin code set
1:11:00 - Extracting the Bitwarden PinProtected Hash so we can crack it
1:31:30 - Downloading all the Git Repo's and finding a secret in the commit history and discovering they JWT Signing Key
1:37:00 - Using GetEnt on the Linux workstation to enumerate groups in ldap
1:42:50 - Creating a JWT of the Engineering group, changing the password then logging into the workstation
1:45:30 - Downloading a Docker Image from our box, and copying it to the remote host so we can use Docker to Privesc
1:49:10 - As root we can SU to other users, then find an SSH Key for Sysadmin to the main host
1:55:55 - Proxmox backups on the mainhost have the authkey.key file which is the RSA Signing Key Proxmox uses for cookies
1:58:30 - Creating a proxmox cookie with the RSA Signing Key and then using the API to change the root password
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Network Security
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Common Next.js Errors (and How I Solved Them)
Dev.to · gary killen
Applying Scalability in Backend (CodeBuddy)
Medium · LLM
Why Every Backend Developer Should Learn Nginx Before Going to Production
Medium · DevOps
Connecting Frontend to Backend: A Backend Engineer’s Reality Check
Medium · Programming
Chapters (20)
Introduction
1:00
Start of nmap
2:45
Playing with the Agent Chat, discovering we can send HTML then testing for XSS
6:20
Testing for the ability to perform redirection via HTML via meta refresh
9:20
Discovering the 404 error page has reflective XSS, but CSP Blocks us from runn
10:15
Finding one of the Analytics JavaScript Files allows for reflective injection,
13:00
Having a Meta Redirect to the double reflective xss injection and stealing a c
22:10
Logged into the SSO by replaying the cookie and testing password reset
29:00
Getting a second session so we can test the file-sharing capability
37:10
Creating a script that will enumerate users based upon the people directory, t
56:30
Going over the internal nmap scan from the VPN
1:03:54
Looking at the Mozilla directory, discovering there is a BitWarden plugin inst
1:11:00
Extracting the Bitwarden PinProtected Hash so we can crack it
1:31:30
Downloading all the Git Repo's and finding a secret in the commit history and
1:37:00
Using GetEnt on the Linux workstation to enumerate groups in ldap
1:42:50
Creating a JWT of the Engineering group, changing the password then logging in
1:45:30
Downloading a Docker Image from our box, and copying it to the remote host so
1:49:10
As root we can SU to other users, then find an SSH Key for Sysadmin to the mai
1:55:55
Proxmox backups on the mainhost have the authkey.key file which is the RSA Sig
1:58:30
Creating a proxmox cookie with the RSA Signing Key and then using the API to c
🎓
Tutor Explanation
DeepCamp AI