https://stream.echo6.co/videos/watch/45a00dbf-086b-4592-a94c-ce6e46589323 00:00 - Introduction 01:00 - Start of nmap 04:25 - Opening Pidgin to register with the Jabber Server then look at chatrooms 10:15 - Opening the XMPP Console so we can copy users to build the username list 11:50 - Running Kerbrute against the users to get a few ASREP Roast Hashes 15:45 - Having issues cracking the hash, need to specify downgrade on kerbrute 19:30 - Running bloodhound with jmontgomery 21:00 - Logged into jabber with jmontgomery, discover a new chatroom which has creds to svc_openfire user 22:55 - Opening bloodhound to discover svc_openfire can ExecuteDCOM 27:30 - Modifying NXC to allow us to ExecuteDCOM without admin permissions 30:00 - Using impacket's DcomEXEC to get a shell on the box 34:55 - Forwarding port 9090 to our box so we can access the OpenFire management website 37:15 - Uploading a malicious plugin to the OpenFire service Wed, 15 Apr 2026 11:45:01 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/45a00dbf-086b-4592-a94c-ce6e46589323 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.