PenTest.WS demonstration hacking the DevOops machine from HackTheBox.eu. This video demonstrates using an XXE Injection vulnerability to pull sensitive files off a remote server. The privilege escalation is to search through a git repository to find root’s private ssh key.

2:26 – Web page extension enumeration
5:21 – XML fuzzing
7:49 – XXE Injection
10:53 – Stealing an SSH key
14:19 – Searching a Git repo
17:53 – Extracting root’s SSH key