https://stream.echo6.co/videos/watch/bca74093-b4e0-4e91-bfb5-8d9a4ee923b7 00:00 - Introduction 01:05 - Start of nmap 02:50 - Discovering Guest can read files on SMB, using mount to copy all the files 08:30 - Grabbing usernames and passwords from the excel document so we can use them for spraying 15:45 - Taking a look at port 6791 to see ReportHub, using FFUF to spray usernames to get a valid user 18:00 - Using FFUF to spray two parameters, username and password by giving it two wordlists and settings markers 22:45 - Discovering the PDF ReportHub generates uses ReportLab which has a known vulnerability 28:40 - Shell returned on the box as Blake 29:50 - Copying the SQLite Database ReportHub uses to our box over SQLite so we can dump it 31:50 - Spraying passwords again from the SQLITE Database, getting OpenFire's password then using RunasCS to get a shell as openfire 35:50 - Setting up a reverse socks proxy with chisel so we can hit ports listening on localhost 39:20 - Going over how the Openfire Auth Bypass works, using Unicode to bypass an acl 54:50 - Logged into Openfire, uploading the management plugin to get a shell as openfire 59:30 - Decrypting the Openfire password out of its database to get administrators password Wed, 15 Apr 2026 13:30:25 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/bca74093-b4e0-4e91-bfb5-8d9a4ee923b7 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.