https://stream.echo6.co/videos/watch/066615ea-6a5c-44c9-b958-f9f43df196fb 00:00 - Introduction 01:00 - Start of nmap 02:00 - Testing the XAMPP PHP Vulnerability, which doesn't work 06:20 - Getting the Joomla Version from the manifest, then exploiting CVE-2023-23752 to get the MySQL Password (same as devvortex) 11:30 - Using KerBrute to bruteforce valid usernames and then NetExec to spray the MySQL Password to get DWOLFE's password 16:40 - Examining the PCAP on the FileShare then building a Kerberos Hash for ETYPE 18 22:30 - Logging into Joomla then getting a shell through editing a template 30:00 - Looking at the other VHOSTS on the box, discovering a site running on localhost 42:00 - Discovering an old version of LibreOffice, exploiting CVE-2023-2255 to get a shell 51:10 - Showing another way, since TSTARK can edit the registry to allow macros to run then just sending a malicious document 57:40 - Pillaging DPAPI with the RPC flag, since we don't know the password and gained access to an interactive login 1:12:00 - We have the ability to edit GP as HHOGAN, using SharpGPOAbuse to create a local admin Wed, 15 Apr 2026 17:25:08 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/066615ea-6a5c-44c9-b958-f9f43df196fb All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.