00:00 - Introduction
01:00 - Start of nmap
02:00 - Looking at the TTL of Ping to see its 127, then making a request to the webserver and seeing it is 62
03:45 - Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network
05:15 - Looking at Icinga, testing default credentials
06:20 - Fingerprinting the Icinga release by looking at javascript, using UI.JS since it looks like it changes frequently
09:05 - Cloning the repo, then writing a one-liner to hash all versions of ui.js and finding which commit the version off the webserver is on
12:10 - Finding a File Disclosure vulnerability in Icinga CVE-2022-24716, leaking some Icinga configuration files and finding a web users password
16:20 - Gaining RCE via CVE-2022-24715, which allows us to write a file to disk then change where the Icinga plugin directory is to get code execution
25:30 - Shell as www-data, doing some basic recon to figure out what type of virtual environment we are in via /sys/class/dmi/id/sys_vendor
29:00 - Looking at running processes and seeing sssd is running which allows this box to talk to the domain
30:00 - Looking at SetUID Files, discovering FireJail and privesc'ing CVE-2022-31214
36:00 - As root on linux, we can now examine the SSSD configuration and get a domain password
44:50 - Setting up a SOCKS Proxy via chisel, so we can use Evil-WINRM to log into the windows machine as Matthew
48:50 - Discovering ManageEngine ADSelfService Plus is running, finding an exploit
52:50 - Fighting with Chisel to get all the port forwards working, have trouble with two socks proxies
01:00:00 - Redoing our tunnels, doing a portforward on linux to get evil-winrm, then a socks on our windows target to access ManageEngine
1:06:10 - Running the Metasploit Exploit against ManageEngine and getting root