00:00 - Introduction
01:00 - Start of nmap
04:25 - Opening Pidgin to register with the Jabber Server then look at chatrooms
10:15 - Opening the XMPP Console so we can copy users to build the username list
11:50 - Running Kerbrute against the users to get a few ASREP Roast Hashes
15:45 - Having issues cracking the hash, need to specify downgrade on kerbrute
19:30 - Running bloodhound with jmontgomery
21:00 - Logged into jabber with jmontgomery, discover a new chatroom which has creds to svc_openfire user
22:55 - Opening bloodhound to discover svc_openfire can ExecuteDCOM
27:30 - Modifying NXC to allow us to ExecuteDCOM without admin permissions
30:00 - Using impacket's DcomEXEC to get a shell on the box
34:55 - Forwarding port 9090 to our box so we can access the OpenFire management website
37:15 - Uploading a malicious plugin to the OpenFire service
Support the originator by clicking the read the rest link below.
