https://stream.echo6.co/videos/watch/97415f4c-6d9f-4918-97bf-d025d3143f6c 00:00 - Introduction 01:00 - Start of nmap 02:00 - Looking at the TTL of Ping to see its 127, then making a request to the webserver and seeing it is 62 03:45 - Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network 05:15 - Looking at Icinga, testing default credentials 06:20 - Fingerprinting the Icinga release by looking at javascript, using UI.JS since it looks like it changes frequently 09:05 - Cloning the repo, then writing a one-liner to hash all versions of ui.js and finding which commit the version off the webserver is on 12:10 - Finding a File Disclosure vulnerability in Icinga CVE-2022-24716, leaking some Icinga configuration files and finding a web users password 16:20 - Gaining RCE via CVE-2022-24715, which allows us to write a file to disk then change where the Icinga plugin directory is to get code execution 25:30 - Shell as www-data, doing some basic recon to figure out what type of virtual environment we are in via /sys/class/dmi/id/sys_vendor 29:00 - Looking at running processes and seeing sssd is running which allows this box to talk to the domain 30:00 - Looking at SetUID Files, discovering FireJail and privesc'ing CVE-2022-31214 36:00 - As root on linux, we can now examine the SSSD configuration and get a domain password 44:50 - Setting up a SOCKS Proxy via chisel, so we can use Evil-WINRM to log into the windows machine as Matthew 48:50 - Discovering ManageEngine ADSelfService Plus is running, finding an exploit 52:50 - Fighting with Chisel to get all the port forwards working, have trouble with two socks proxies 01:00:00 - Redoing our tunnels, doing a portforward on linux to get evil-winrm, then a socks on our windows target to access ManageEngine 1:06:10 - Running the Metasploit Exploit against ManageEngine and getting root Wed, 15 Apr 2026 11:16:00 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/97415f4c-6d9f-4918-97bf-d025d3143f6c All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.