00:00 - Introduction
01:05 - Start of nmap
02:50 - Discovering Guest can read files on SMB, using mount to copy all the files
08:30 - Grabbing usernames and passwords from the excel document so we can use them for spraying
15:45 - Taking a look at port 6791 to see ReportHub, using FFUF to spray usernames to get a valid user
18:00 - Using FFUF to spray two parameters, username and password by giving it two wordlists and settings markers
22:45 - Discovering the PDF ReportHub generates uses ReportLab which has a known vulnerability
28:40 - Shell returned on the box as Blake
29:50 - Copying the SQLite Database ReportHub uses to our box over SQLite so we can dump it
31:50 - Spraying passwords again from the SQLITE Database, getting OpenFire's password then using RunasCS to get a shell as openfire
35:50 - Setting up a reverse socks proxy with chisel so we can hit ports listening on localhost
39:20 - Going over how the Openfire Auth Bypass works, using Unicode to bypass an acl
54:50 - Logged into Openfire, uploading the management plugin to get a shell as openfire
59:30 - Decrypting the Openfire password out of its database to get administrators password
Support the originator by clicking the read the rest link below.
