HackTheBox - Corporate (FIXED)

Sorry for the double upload. The last 45 seconds were missing from the first video. 00:00 - Introduction 01:00 - Start of nmap 02:45 - Playing with the Agent Chat, discovering we can send HTML then testing for XSS then seeing CSP (Content Security Policy) Stops us 06:20 - Testing for the ability to perform redirection via HTML via meta refresh 09:20 - Discovering the 404 error page has reflective XSS, but CSP Blocks us from running XSS on the page itself 10:15 - Finding one of the Analytics JavaScript Files allows for reflective injection, allowing us to insert javascript 13:00 - Having a Meta Redirect to the double reflective xss injection and stealing a cookie 22:10 - Logged into the SSO by replaying the cookie and testing password reset 29:00 - Getting a second session so we can test the file-sharing capability 37:10 - Creating a script that will enumerate users based upon the people directory, then test the welcome password 56:30 - Going over the internal nmap scan from the VPN 1:03:54 - Looking at the Mozilla directory, discovering there is a BitWarden plugin installed and the history indicates they may have a pin code set 1:11:00 - Extracting the Bitwarden PinProtected Hash so we can crack it 1:31:30 - Downloading all the Git Repo's and finding a secret in the commit history and discovering they JWT Signing Key 1:37:00 - Using GetEnt on the Linux workstation to enumerate groups in ldap 1:42:50 - Creating a JWT of the Engineering group, changing the password then logging into the workstation 1:45:30 - Downloading a Docker Image from our box, and copying it to the remote host so we can use Docker to Privesc 1:49:10 - As root we can SU to other users, then find an SSH Key for Sysadmin to the main host 1:55:55 - Proxmox backups on the mainhost have the authkey.key file which is the RSA Signing Key Proxmox uses for cookies 1:58:30 - Creating a proxmox cookie with the RSA Signing Key and then using the API to change the root password