HackTheBox - Corporate (FIXED)

Sorry for the double upload. The last 45 seconds were missing from the first video.

00:00 - Introduction
01:00 - Start of nmap
02:45 - Playing with the Agent Chat, discovering we can send HTML then testing for XSS then seeing CSP (Content Security Policy) Stops us
06:20 - Testing for the ability to perform redirection via HTML via meta refresh
09:20 - Discovering the 404 error page has reflective XSS, but CSP Blocks us from running XSS on the page itself
10:15 - Finding one of the Analytics JavaScript Files allows for reflective injection, allowing us to insert javascript
13:00 - Having a Meta Redirect to the double reflective xss injection and stealing a cookie
22:10 - Logged into the SSO by replaying the cookie and testing password reset
29:00 - Getting a second session so we can test the file-sharing capability
37:10 - Creating a script that will enumerate users based upon the people directory, then test the welcome password
56:30 - Going over the internal nmap scan from the VPN
1:03:54 - Looking at the Mozilla directory, discovering there is a BitWarden plugin installed and the history indicates they may have a pin code set
1:11:00 - Extracting the Bitwarden PinProtected Hash so we can crack it
1:31:30 - Downloading all the Git Repo's and finding a secret in the commit history and discovering they JWT Signing Key
1:37:00 - Using GetEnt on the Linux workstation to enumerate groups in ldap
1:42:50 - Creating a JWT of the Engineering group, changing the password then logging into the workstation
1:45:30 - Downloading a Docker Image from our box, and copying it to the remote host so we can use Docker to Privesc
1:49:10 - As root we can SU to other users, then find an SSH Key for Sysadmin to the main host
1:55:55 - Proxmox backups on the mainhost have the authkey.key file which is the RSA Signing Key Proxmox uses for cookies
1:58:30 - Creating a proxmox cookie with the RSA Signing Key and then using the API to change the root password