https://stream.echo6.co/videos/watch/e80ac07f-1bd5-42f1-991a-3077f6358fd5 00:00 - Intro 00:57 - Running NMAP 04:10 - The footer talks about BMC, explaining why I jumped to IPMI when reading this 05:30 - Running a Virtual Host (VHOST) Scan with Wfuzz to try and find a domain that points to an ILO 08:20 - Talking about IPMI 10:15 - Running Metasploit to dump the IPMI Hash and then crack it with hashcat 15:10 - Running IPMITool to explore the interface, there isn't anything really here 19:30 - Logging into Zabbix with the credentials and then fumbling around creating a malicious check 27:50 - Discovering what we were doing wrong, we didn't want to put quotes in the system.run command 29:25 - Zabbix kills our shell pretty quickly, just running a second command really fast in order to keep a process alive 32:00 - Attempting to get into the Zabbix database, need to switch to the ipmi-svc user 34:57 - Showing a cool MySQL command \G to display results in a table form, useful when dumping a lot of columns 36:05 - Running LinPEAS 39:30 - No real exploit paths found, checking for exploits in the MYSQL Server and finding CVE-2021-27928 (WSREP) 41:10 - Performing the MySQL WSREP Exploit and getting root Wed, 15 Apr 2026 09:28:42 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/e80ac07f-1bd5-42f1-991a-3077f6358fd5 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.