HackTheBox - DarkCorp

00:00 - Introduction 01:00 - Start of nmap 02:45 - Discovering the Contact Us form lets us send emails anywhere, also leaks the bcase user to the recipient 05:30 - Discovering RoundCube Version and finding it is vulnerable to XSS, testing it against ourself with the contact us form 11:45 - Building a XSS CSRF Payload that will exfil all emails in the inbox 18:50 - Creating the Python HTTP Server to display emails sent from the XSS Payload, use Beautiful Soup to parse the HTML to only show important pieces 31:40 - Sending the XSS to bcase, getting his emails. Discovering a new subdomain, using password reset and reading his inbox again to discover the reset link 35:20 - Finding SQL Injection in PostGres, checking if we are super user, discovering there is a filter stripping the work copy 38:00 - Doing some light evasion using an eval like feature of PostGres so we can encode our query and getting a shell on the box 47:30 - Discovering an encrypted file, using the db password within .env of the webapp to decrypt it 54:20 - Getting our first Active Directory user, running RustHound but there aren't many paths 59:40 - Logging into another page with Victor's credentials, we have an SSRF here 01:04:18 - Using socat to set up a tunnel so we can have the target listen on a port and send it back to use (Reverse Port Forward), not using SSH because it only listens on localhost 01:08:30 - Responder grabs a NetNTLMv2 Hash from the SSRF, showing the latest version of responder won't grab it, digging into source to show why 01:15:05 - Showing LDAP Signing is not enabled, using NTLMRelayx to forward our request to the LDAP Server, attempting Certificate Enrollment with ADCS but NTLM Auth is disabled 01:22:20 - Getting KRBRelayX Up and running so we can auth with ADCS 01:26:20 - Using the PrinterBug to force the machine to make a request to our KRBRelay Server, but first using NTLMRelayX to create a special DNS Name (marshalling) to masquerade as DC-01 01:31:40 - Got a NTLM Hash f