laokoon

LaokoonHaxorcist/crypto_me_is_me/server.py

@@ -0,0 +1,42 @@
+from secret import FLAG
+from hashlib import sha256
+
+
+class hash():
+
+    def __init__(self, message):
+        self.message = message
+
+    def rotate(self, message):
+        return [((b >> 4) | (b << 3)) & 0xff for b in message]
+
+    def hexdigest(self):
+        rotated = self.rotate(self.message)
+        return sha256(bytes(rotated)).hexdigest()
+
+
+def main():
+    original_message = b"ready_play_one!"
+    original_digest = hash(original_message).hexdigest()
+    print(
+        f"Find a message that generate the same hash as this one: {original_digest}"
+    )
+
+    while True:
+        try:
+            message = input("Enter your message: ")
+            message = bytes.fromhex(message)
+
+            digest = hash(message).hexdigest()
+
+            if ((original_digest == digest) and (message != original_message)):
+                print(f"{FLAG}")
+            else:
+                print("Conditions not satisfied!")
+
+        except Exception as e:
+            print(f"An error occurred while processing data: {e}")
+
+
+if __name__ == '__main__':
+    main()

LaokoonHaxorcist/crypto_psa_games/server.py

@@ -0,0 +1,58 @@
+from Crypto.Util.number import bytes_to_long, getPrime, GCD
+from Crypto.Util.Padding import pad
+# from secret import FLAG
+
+WELCOME = '''Welcome to my custom PSA cryptosystem! 
+In this cryptosystem, the message is PKCS#7 padded and then encrypted with RSA.
+They say padding makes encryption more secure, right? ;)'''
+
+MENU = '''
+[1] Encrypt the flag
+[2] Exit
+'''
+
+
+class PSA:
+
+    def __init__(self):
+        self.bit_size = 512
+        self.e = 11
+
+    def gen_modulus(self):
+        while True:
+            p = getPrime(self.bit_size // 2)
+            q = getPrime(self.bit_size // 2)
+            if GCD(self.e, (p - 1) * (q - 1)) == 1:
+                break
+        return p * q
+
+    def encrypt(self, msg):
+        m = bytes_to_long(pad(msg, 16))
+        n = self.gen_modulus()
+        c = pow(m, self.e, n)
+        return c, n
+
+
+def main():
+    psa = PSA()
+    print(WELCOME)
+    while True:
+        try:
+            print(MENU)
+            opt = input('> ')
+            if opt == '1':
+                enc, modulus = psa.encrypt(b'FLAG')
+                print(f"\n{hex(enc)}\n{hex(modulus)}")
+            elif opt == '2':
+                print('Bye.')
+                exit(1)
+            else:
+                print('\nInvalid option!')
+        except:
+            print('\n\nSomething went wrong.')
+            exit(1)
+
+
+if __name__ == '__main__':
+    # main()
+    print(0x65c96a10a5553c2eb1b05ac1369a777089841005b055cbf8dcafc41fd1d11b0a0306b820cbc742796318694b9fdf145214ef3a2385984daa0d6d5ba87bdce687)

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/notes.txt

@@ -0,0 +1,244 @@
+[*] domain found on tcp/53.
+
+
+
+[*] http found on tcp/80.
+
+
+
+[*] kerberos-sec found on tcp/88.
+
+
+
+[*] msrpc found on tcp/135.
+
+
+
+[*] netbios-ssn found on tcp/139.
+
+
+
+[*] ldap found on tcp/389.
+
+
+
+[*] microsoft-ds found on tcp/445.
+
+
+
+[*] kpasswd5 found on tcp/464.
+
+
+
+[*] ncacn_http found on tcp/593.
+
+
+
+[*] tcpwrapped found on tcp/636.
+
+
+
+[*] ldap found on tcp/3268.
+
+
+
+[*] tcpwrapped found on tcp/3269.
+
+
+
+[*] wsman found on tcp/5985.
+
+
+
+[*] mc-nmf found on tcp/9389.
+
+
+
+[*] msrpc found on tcp/49667.
+
+
+
+[*] msrpc found on tcp/49673.
+
+
+
+[*] ncacn_http found on tcp/49674.
+
+
+
+[*] msrpc found on tcp/49695.
+
+
+
+[*] msrpc found on tcp/49843.
+
+
+
+[*] domain found on tcp/53.
+
+
+
+[*] http found on tcp/80.
+
+
+
+[*] kerberos-sec found on tcp/88.
+
+
+
+[*] msrpc found on tcp/135.
+
+
+
+[*] netbios-ssn found on tcp/139.
+
+
+
+[*] ldap found on tcp/389.
+
+
+
+[*] microsoft-ds found on tcp/445.
+
+
+
+[*] kpasswd5 found on tcp/464.
+
+
+
+[*] ncacn_http found on tcp/593.
+
+
+
+[*] tcpwrapped found on tcp/636.
+
+
+
+[*] ldap found on tcp/3268.
+
+
+
+[*] tcpwrapped found on tcp/3269.
+
+
+
+[*] wsman found on tcp/5985.
+
+
+
+[*] mc-nmf found on tcp/9389.
+
+
+
+[*] unknown found on tcp/49667.
+
+
+
+[*] unknown found on tcp/49673.
+
+
+
+[*] ncacn_http found on tcp/49674.
+
+
+
+[*] unknown found on tcp/49695.
+
+
+
+[*] unknown found on tcp/49843.
+
+
+
+[*] domain found on udp/53.
+
+
+
+[*] ntp found on udp/123.
+
+
+
+[*] domain found on tcp/53.
+
+
+
+[*] http found on tcp/80.
+
+
+
+[*] kerberos-sec found on tcp/88.
+
+
+
+[*] msrpc found on tcp/135.
+
+
+
+[*] netbios-ssn found on tcp/139.
+
+
+
+[*] ldap found on tcp/389.
+
+
+
+[*] microsoft-ds found on tcp/445.
+
+
+
+[*] kpasswd5 found on tcp/464.
+
+
+
+[*] ncacn_http found on tcp/593.
+
+
+
+[*] tcpwrapped found on tcp/636.
+
+
+
+[*] ldap found on tcp/3268.
+
+
+
+[*] tcpwrapped found on tcp/3269.
+
+
+
+[*] wsman found on tcp/5985.
+
+
+
+[*] mc-nmf found on tcp/9389.
+
+
+
+[*] msrpc found on tcp/49667.
+
+
+
+[*] ncacn_http found on tcp/49674.
+
+
+
+[*] msrpc found on tcp/49695.
+
+
+
+[*] msrpc found on tcp/49843.
+
+
+
+[*] domain found on udp/53.
+
+
+
+[*] kerberos-sec found on udp/88.
+
+
+
+[*] ntp found on udp/123.
+
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Commands.md

@@ -0,0 +1,177 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Errors.md

@@ -0,0 +1,56 @@
+```
+[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
+[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
+[-] Command: dig AXFR -p 53 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
+[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+[-] Error Output:
+QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
+Loading page (1/2)
+[>                                                           ] 0%
+[==============================>                             ] 50%
+[==============================>                             ] 50%
+Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore)
+Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found
+Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found
+libva info: VA-API version 1.17.0
+libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
+libva info: Found init function __vaDriverInit_1_17
+libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
+libva info: va_openDriver() returns 1
+libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
+libva info: Found init function __vaDriverInit_1_8
+libva info: va_openDriver() returns 0
+[============================================================] 100%
+Rendering (2/2)
+[>                                                           ] 0%
+[===============>                                            ] 25%
+[============================================================] 100%
+Done
+Exit with code 1 due to network error: HostNotFoundError
+
+
+[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1).
+[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+[-] Error Output:
+
+
+[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
+[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
+[-] Command: dig AXFR -p 53 @10.129.243.131
+[-] Error Output:
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Manual Commands.md

@@ -0,0 +1,221 @@
+```bash
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] msrpc on tcp/49667
+
+	[-] RPC Client:
+
+		rpcclient -p 49667 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49673
+
+	[-] RPC Client:
+
+		rpcclient -p 49673 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49695
+
+	[-] RPC Client:
+
+		rpcclient -p 49695 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49843
+
+	[-] RPC Client:
+
+		rpcclient -p 49843 -U "" 10.129.243.131
+
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] domain on udp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Patterns.md

@@ -0,0 +1,4 @@
+Identified Architecture: 64-bit
+
+Identified HTTP Server: Microsoft-IIS/10.0
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - All TCP Ports.md

@@ -0,0 +1,82 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131
+adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds.  Ignoring time.
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.046s latency).
+Scanned at 2023-10-28 13:45:20 CEST for 873s
+Not shown: 65516 filtered tcp ports (no-response)
+PORT      STATE SERVICE       REASON          VERSION
+53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
+80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
+|_http-server-header: Microsoft-IIS/10.0
+| http-methods: 
+|_  Supported Methods: GET HEAD OPTIONS
+|_http-title: Slandovia Energy
+88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:58:41Z)
+135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
+389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+445/tcp   open  microsoft-ds? syn-ack ttl 127
+464/tcp   open  kpasswd5?     syn-ack ttl 127
+593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp   open  tcpwrapped    syn-ack ttl 127
+3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp  open  tcpwrapped    syn-ack ttl 127
+5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
+49667/tcp open  unknown       syn-ack ttl 127
+49673/tcp open  unknown       syn-ack ttl 127
+49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+49695/tcp open  unknown       syn-ack ttl 127
+49843/tcp open  unknown       syn-ack ttl 127
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+Device type: WAP|phone
+Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
+OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
+OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
+TCP/IP fingerprint:
+OS:SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%G=N%TM=653CF7B9%P=x86_64-pc-l
+OS:inux-gnu)ECN(R=N)T1(R=N)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=N)
+
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+|_clock-skew: 59m59s
+| p2p-conficker: 
+|   Checking for Conficker.C or higher...
+|   Check 1 (port 25314/tcp): CLEAN (Timeout)
+|   Check 2 (port 10793/tcp): CLEAN (Timeout)
+|   Check 3 (port 25536/udp): CLEAN (Timeout)
+|   Check 4 (port 25523/udp): CLEAN (Timeout)
+|_  0/4 checks are positive: Host is CLEAN or ports are blocked
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+| smb2-time: 
+|   date: 2023-10-28T12:59:18
+|_  start_date: N/A
+
+TRACEROUTE (using port 80/tcp)
+HOP RTT    ADDRESS
+1   ... 30
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:59:53 2023 -- 1 IP address (1 host up) scanned in 887.79 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top 100 UDP Ports.md

@@ -0,0 +1,51 @@
+```bash
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.093s latency).
+Scanned at 2023-10-28 13:45:07 CEST for 1811s
+Not shown: 98 open|filtered udp ports (no-response)
+PORT    STATE SERVICE REASON               VERSION
+53/udp  open  domain? udp-response ttl 127
+| fingerprint-strings: 
+|   DNS-SD: 
+|     _services
+|     _dns-sd
+|     _udp
+|_    local
+123/udp open  ntp?    script-set
+| ntp-info: 
+|_  receive time stamp: 2023-10-28T12:52:08
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CF493%P=x86_64-pc-linux-gnu%r(DNS
+SF:-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_udp\x0
+SF:5local\0\0\x0c\0\x01")%r(Citrix,1E,"\x1e\0\x81\x01\x02\xfd\xa8\xe3\0\0\
+SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
+Too many fingerprints match this host to give specific OS details
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=10%DC=T%G=N%TM=653CFB56%P=x86_64-pc-linux-gnu)
+SEQ(II=I)
+U1(R=N)
+IE(R=Y%DFI=N%TG=80%CD=Z)
+
+Network Distance: 10 hops
+
+Host script results:
+|_clock-skew: 1h00m07s
+
+TRACEROUTE (using port 53/udp)
+HOP RTT      ADDRESS
+1   36.79 ms 10.10.14.1
+2   ... 9
+10  35.90 ms 10.129.243.131
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:15:18 2023 -- 1 IP address (1 host up) scanned in 1812.34 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top TCP Ports.md

@@ -0,0 +1,81 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131
+Increasing send delay for 10.129.243.131 from 0 to 5 due to 11 out of 20 dropped probes since last increase.
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.14s latency).
+Scanned at 2023-10-28 13:45:20 CEST for 264s
+Not shown: 988 filtered tcp ports (no-response)
+PORT     STATE SERVICE       REASON          VERSION
+53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
+80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
+|_http-title: Slandovia Energy
+| http-methods: 
+|   Supported Methods: OPTIONS TRACE GET HEAD POST
+|_  Potentially risky methods: TRACE
+88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:47:30Z)
+135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
+389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+445/tcp  open  microsoft-ds? syn-ack ttl 127
+464/tcp  open  kpasswd5?     syn-ack ttl 127
+593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp  open  tcpwrapped    syn-ack ttl 127
+3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp open  tcpwrapped    syn-ack ttl 127
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+Device type: specialized
+Running (JUST GUESSING): AVtech embedded (87%)
+OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
+Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
+No exact OS matches for host (test conditions non-ideal).
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CF558%P=x86_64-pc-linux-gnu)
+SEQ(SP=103%GCD=1%ISR=109%TI=RD%TS=U)
+OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
+WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
+ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
+T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
+T2(R=N)
+T3(R=N)
+T4(R=N)
+U1(R=N)
+IE(R=Y%DFI=N%TG=80%CD=Z)
+IE(R=N)
+
+Network Distance: 2 hops
+TCP Sequence Prediction: Difficulty=258 (Good luck!)
+IP ID Sequence Generation: Randomized
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+|_clock-skew: 59m57s
+| smb2-time: 
+|   date: 2023-10-28T12:49:11
+|_  start_date: N/A
+| p2p-conficker: 
+|   Checking for Conficker.C or higher...
+|   Check 1 (port 25314/tcp): CLEAN (Timeout)
+|   Check 2 (port 10793/tcp): CLEAN (Timeout)
+|   Check 3 (port 25536/udp): CLEAN (Timeout)
+|   Check 4 (port 25523/udp): CLEAN (Timeout)
+|_  0/4 checks are positive: Host is CLEAN or ports are blocked
+
+TRACEROUTE (using port 135/tcp)
+HOP RTT       ADDRESS
+1   191.57 ms 10.10.14.1
+2   183.81 ms 10.129.243.131
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:44 2023 -- 1 IP address (1 host up) scanned in 278.93 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/Nmap MSRPC.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 1s
+
+PORT    STATE    SERVICE REASON      VERSION
+135/tcp filtered msrpc   no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.66 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/get-arch.md

@@ -0,0 +1,15 @@
+```bash
+impacket-getArch -target 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt):
+
+```
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Gathering OS architecture for 1 machines
+[*] Socket connect timeout set to 2 secs
+[-] 10.129.243.131: Could not connect: timed out
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/rpcdump.md

@@ -0,0 +1,15 @@
+```bash
+impacket-rpcdump -port 135 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt):
+
+```
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Retrieving endpoint list from 10.129.243.131
+[-] Protocol failed: Could not connect: timed out
+[*] No endpoints found.
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Enum4Linux.md

@@ -0,0 +1,148 @@
+```bash
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt):
+
+```
+Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 28 13:49:45 2023
+
+ =========================================( Target Information )=========================================
+
+Target ........... 10.129.243.131
+RID Range ........ 500-550,1000-1050
+Username ......... ''
+Password ......... ''
+Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
+
+
+ ===========================( Enumerating Workgroup/Domain on 10.129.243.131 )===========================
+
+
+[E] Can't find workgroup/domain
+
+
+
+ ===============================( Nbtstat Information for 10.129.243.131 )===============================
+
+Looking up status of 10.129.243.131
+No reply from 10.129.243.131
+
+ ==================================( Session Check on 10.129.243.131 )==================================
+
+
+[+] Server 10.129.243.131 allows sessions using username '', password ''
+
+
+ ==========================( Getting information via LDAP for 10.129.243.131 )==========================
+
+
+[+] 10.129.243.131 appears to be a child DC
+
+
+ ===============================( Getting domain SID for 10.129.243.131 )===============================
+
+Domain Name: MEGACORP
+Domain Sid: S-1-5-21-855300830-391258870-456067225
+
+[+] Host is part of a domain (not a workgroup)
+
+
+ ==================================( OS information on 10.129.243.131 )==================================
+
+
+[E] Can't get OS info with smbclient
+
+
+[+] Got OS info for 10.129.243.131 from srvinfo:
+do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
+
+
+ ======================================( Users on 10.129.243.131 )======================================
+
+
+[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
+
+
+
+[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
+
+
+ ===============================( Machine Enumeration on 10.129.243.131 )===============================
+
+
+[E] Not implemented in this version of enum4linux.
+
+
+ ================================( Share Enumeration on 10.129.243.131 )================================
+
+do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+
+	Sharename       Type      Comment
+	---------       ----      -------
+Reconnecting with SMB1 for workgroup listing.
+Unable to connect with SMB1 -- no workgroup available
+
+[+] Attempting to map shares on 10.129.243.131
+
+
+ ===========================( Password Policy Information for 10.129.243.131 )===========================
+
+
+[E] Unexpected error from polenum:
+
+
+
+[+] Attaching to 10.129.243.131 using a NULL share
+
+[+] Trying protocol 139/SMB...
+
+	[!] Protocol failed: Cannot request session (Called Name:10.129.243.131)
+
+[+] Trying protocol 445/SMB...
+
+	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
+
+
+
+[E] Failed to get password policy with rpcclient
+
+
+
+ ======================================( Groups on 10.129.243.131 )======================================
+
+
+[+] Getting builtin groups:
+
+
+[+]  Getting builtin group memberships:
+
+
+[+]  Getting local groups:
+
+
+[+]  Getting local group memberships:
+
+
+[+]  Getting domain groups:
+
+
+[+]  Getting domain group memberships:
+
+
+ =================( Users on 10.129.243.131 via RID cycling (RIDS: 500-550,1000-1050) )=================
+
+
+[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
+
+
+ ==============================( Getting printer info for 10.129.243.131 )==============================
+
+do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
+
+
+enum4linux complete on Sat Oct 28 13:50:18 2023
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Nmap SMB.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 2s
+
+PORT    STATE    SERVICE     REASON      VERSION
+139/tcp filtered netbios-ssn no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.71 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBClient.md

@@ -0,0 +1,11 @@
+```bash
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt):
+
+```
+do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_IO_TIMEOUT)
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBMap.md

@@ -0,0 +1,66 @@
+```bash
+smbmap -H 10.129.243.131 -P 139 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/nbtscan.md

@@ -0,0 +1,12 @@
+```bash
+nbtscan -rvh 10.129.243.131 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt):
+
+```
+Doing NBT name scan for addresses from 10.129.243.131
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-3268-ldap/Nmap LDAP.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3268 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:48 CEST for 1s
+
+PORT     STATE    SERVICE       REASON      VERSION
+3268/tcp filtered globalcatLDAP no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.69 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-389-ldap/Nmap LDAP.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 389 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:48 CEST for 1s
+
+PORT    STATE    SERVICE REASON      VERSION
+389/tcp filtered ldap    no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.72 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/Nmap SMB.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 2s
+
+PORT    STATE    SERVICE      REASON      VERSION
+445/tcp filtered microsoft-ds no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/SMBMap.md

@@ -0,0 +1,66 @@
+```bash
+smbmap -H 10.129.243.131 -P 445 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-464-kpasswd5/Nmap Kerberos.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 464 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 1s
+
+PORT    STATE    SERVICE  REASON      VERSION
+464/tcp filtered kpasswd5 no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.44 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Reverse Lookup.md

@@ -0,0 +1,18 @@
+```bash
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
+;; global options: +cmd
+;; no servers could be reached
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Zone Transfer.md

@@ -0,0 +1,19 @@
+```bash
+dig AXFR -p 53 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
+; (1 server found)
+;; global options: +cmd
+;; no servers could be reached
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/Nmap DNS.md

@@ -0,0 +1,23 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 2s
+
+PORT   STATE    SERVICE REASON      VERSION
+53/tcp filtered domain  no-response
+
+Host script results:
+|_dns-brute: Can't guess domain of "10.129.243.131"; use dns-brute.domain script argument.
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.81 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-593-ncacn_http/rpcdump.md

@@ -0,0 +1,15 @@
+```bash
+impacket-rpcdump -port 593 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt):
+
+```
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Retrieving endpoint list from 10.129.243.131
+[-] Protocol failed: Could not connect: timed out
+[*] No endpoints found.
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl Robots.md

@@ -0,0 +1,3 @@
+```bash
+curl -sSikf http://10.129.243.131:80/robots.txt
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl.md

@@ -0,0 +1,60 @@
+```bash
+curl -sSik http://10.129.243.131:80/
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html):
+
+```
+HTTP/1.1 200 OK
+Content-Type: text/html
+Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT
+Accept-Ranges: bytes
+ETag: "0eaf6d7c895d71:0"
+Server: Microsoft-IIS/10.0
+Date: Sat, 28 Oct 2023 12:50:12 GMT
+Content-Length: 1034
+
+<!DOCTYPE html>
+<html lang="en" >
+<head>
+  <meta charset="UTF-8">
+  <title>Slandovia Energy</title>
+  <link rel='stylesheet' href='https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css'><link rel="stylesheet" href="./style.css">
+<script src="https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js"></script>
+
+</head>
+<body>
+<!-- partial:index.partial.html -->
+<link href='https://fonts.googleapis.com/css?family=Open+Sans|Maven+Pro:500' rel='stylesheet' type='text/css'>
+<div class="deco topdeco">
+  <span></span>
+  <span></span>
+  <span></span>
+  <span></span>
+  </div>
+
+  <h1>MegaCorp</h1>
+  <h3>
+    Slandovia Energy Grid
+  </h3>
+
+ <section class="list-wrap">
+
+   <label for="search-text">Check Status</label>
+  <input type="text" id="search-text" placeholder="search" class="search-box">
+    <span class="list-count"></span>
+
+
+<ul id="list">
+  <span class="empty-item">no results</span>
+</ul>
+   </section>
+
+<!-- partial -->
+<script  src="./script.js"></script>
+
+</body>
+</html>
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Directory Buster.md

@@ -0,0 +1,18 @@
+```bash
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
+
+```
+200      GET       25l       72w      692c http://10.129.243.131/script.js
+200      GET      215l      294w     3166c http://10.129.243.131/style.css
+200      GET       41l       66w     1034c http://10.129.243.131/
+200      GET       41l       66w     1034c http://10.129.243.131/Index.html
+200      GET        8l      168w     1092c http://10.129.243.131/LICENSE.txt
+200      GET        1l       14w      116c http://10.129.243.131/Search.php
+200      GET       41l       66w     1034c http://10.129.243.131/index.html
+200      GET        8l      168w     1092c http://10.129.243.131/license.txt
+200      GET        1l       14w      116c http://10.129.243.131/search.php
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Known Security.md

@@ -0,0 +1,3 @@
+```bash
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Nmap HTTP.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:48 CEST for 1s
+
+PORT   STATE    SERVICE REASON      VERSION
+80/tcp filtered http    no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 4.02 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/whatweb.md

@@ -0,0 +1,10 @@
+```bash
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt):
+
+```
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/wkhtmltoimage.md

@@ -0,0 +1,3 @@
+```bash
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-88-kerberos-sec/Nmap Kerberos.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 88 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 1s
+
+PORT   STATE    SERVICE      REASON      VERSION
+88/tcp filtered kerberos-sec no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-123-ntp/Nmap NTP.md

@@ -0,0 +1,22 @@
+```bash
+nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 123 "--script=banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.056s latency).
+Scanned at 2023-10-28 14:15:19 CEST for 10s
+
+PORT    STATE SERVICE REASON               VERSION
+123/udp open  ntp     udp-response ttl 127 NTP v3
+| ntp-info: 
+|_  receive time stamp: 2023-10-28T12:15:20
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:15:29 2023 -- 1 IP address (1 host up) scanned in 11.02 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Reverse Lookup.md

@@ -0,0 +1,29 @@
+```bash
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16548
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4000
+;; QUESTION SECTION:
+;131.243.129.10.in-addr.arpa.	IN	PTR
+
+;; Query time: 4303 msec
+;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
+;; WHEN: Sat Oct 28 14:15:33 CEST 2023
+;; MSG SIZE  rcvd: 56
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Zone Transfer.md

@@ -0,0 +1,21 @@
+```bash
+dig AXFR -p 53 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
+; (1 server found)
+;; global options: +cmd
+;; Query time: 4299 msec
+;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
+;; WHEN: Sat Oct 28 14:15:33 CEST 2023
+;; MSG SIZE  rcvd: 28
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/Nmap DNS.md

@@ -0,0 +1,40 @@
+```bash
+nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set.
+Scanned at 2023-10-28 14:15:19 CEST for 116s
+
+PORT   STATE SERVICE REASON       VERSION
+53/udp open  domain? udp-response
+| fingerprint-strings: 
+|   DNS-SD: 
+|     _services
+|     _dns-sd
+|     _udp
+|_    local
+| dns-nsec3-enum: 
+|_  DNSSEC NSEC3 not supported
+|_dns-cache-snoop: 0 of 100 tested domains are cached.
+| dns-nsec-enum: 
+|_  No NSEC records found
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFB97%P=x86_64-pc-linux-gnu%r(AFS
+SF:VersionRequest,20,"\0\0\x83\x81\0\0\0\0\0\0\0e\0\0\0\0\0\0\0\0\r\x05\0\
+SF:0\0\0\0\0\0\0\0\0")%r(DNS-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_servi
+SF:ces\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01");
+
+Host script results:
+| dns-brute: 
+|_  DNS Brute-force hostnames: No results.
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:17:15 2023 -- 1 IP address (1 host up) scanned in 116.97 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_commands.log

@@ -0,0 +1,288 @@
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131 megacorp.htb
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+gobuster dns -d megacorp.htb -r 10.129.243.131 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt"
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+curl -sk -o /dev/null -H "Host: buoTkusKMRHQqExxyMge.megacorp.htb" http://megacorp.htb:80/ -w "%{size_download}"
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
+
+ffuf -u http://megacorp.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.megacorp.htb" -fs 1034 -noninteractive -s | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_megacorp.htb_vhosts_subdomains-top1million-110000.txt"
+
+dig AXFR -p 53 @10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131 megacorp.htb
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
+
+gobuster dns -d megacorp.htb -r 10.129.243.131 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt"
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 88 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_errors.log

@@ -0,0 +1,56 @@
+[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
+[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
+[-] Command: dig AXFR -p 53 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
+[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+[-] Error Output:
+QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
+Loading page (1/2)
+[>                                                           ] 0%
+[==============================>                             ] 50%
+[==============================>                             ] 50%
+Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore)
+Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found
+Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found
+libva info: VA-API version 1.17.0
+libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
+libva info: Found init function __vaDriverInit_1_17
+libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
+libva info: va_openDriver() returns 1
+libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
+libva info: Found init function __vaDriverInit_1_8
+libva info: va_openDriver() returns 0
+[============================================================] 100%
+Rendering (2/2)
+[>                                                           ] 0%
+[===============>                                            ] 25%
+[============================================================] 100%
+Done
+Exit with code 1 due to network error: HostNotFoundError
+
+
+[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1).
+[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+[-] Error Output:
+
+
+[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
+[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
+[-] Command: dig AXFR -p 53 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DnsRecon Default Scan (tcp/53/domain/dnsrecon) ran a command which returned a non-zero exit code (1).
+[-] Command: dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1
+[-] Error Output:

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt

@@ -0,0 +1,77 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.041s latency).
+Scanned at 2023-10-28 14:23:47 CEST for 245s
+Not shown: 65517 filtered tcp ports (no-response)
+PORT      STATE SERVICE       REASON          VERSION
+53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
+80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
+|_http-server-header: Microsoft-IIS/10.0
+|_http-title: Slandovia Energy
+| http-methods: 
+|   Supported Methods: OPTIONS TRACE GET HEAD POST
+|_  Potentially risky methods: TRACE
+88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:26:10Z)
+135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
+389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+445/tcp   open  microsoft-ds? syn-ack ttl 127
+464/tcp   open  kpasswd5?     syn-ack ttl 127
+593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp   open  tcpwrapped    syn-ack ttl 127
+3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp  open  tcpwrapped    syn-ack ttl 127
+5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-title: Not Found
+|_http-server-header: Microsoft-HTTPAPI/2.0
+9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
+49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+49695/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+49843/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
+No OS matches for host
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CFE48%P=x86_64-pc-linux-gnu)
+SEQ(SP=101%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=U)
+SEQ(SP=101%GCD=1%ISR=10D%TI=I%II=I%TS=U)
+OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
+WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
+ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
+T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
+T2(R=N)
+T3(R=N)
+T4(R=N)
+U1(R=N)
+IE(R=Y%DFI=N%TG=80%CD=Z)
+
+Network Distance: 2 hops
+TCP Sequence Prediction: Difficulty=257 (Good luck!)
+IP ID Sequence Generation: Incremental
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+|_clock-skew: 0s
+| p2p-conficker: 
+|   Checking for Conficker.C or higher...
+|   Check 1 (port 25314/tcp): CLEAN (Timeout)
+|   Check 2 (port 10793/tcp): CLEAN (Timeout)
+|   Check 3 (port 25536/udp): CLEAN (Timeout)
+|   Check 4 (port 25523/udp): CLEAN (Timeout)
+|_  0/4 checks are positive: Host is CLEAN or ports are blocked
+| smb2-time: 
+|   date: 2023-10-28T12:27:13
+|_  start_date: N/A
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+
+TRACEROUTE (using port 135/tcp)
+HOP RTT      ADDRESS
+1   35.29 ms 10.10.14.1
+2   35.21 ms megacorp.htb (10.129.243.131)
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:27:52 2023 -- 1 IP address (1 host up) scanned in 246.21 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_manual_commands.txt

@@ -0,0 +1,338 @@
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] msrpc on tcp/49667
+
+	[-] RPC Client:
+
+		rpcclient -p 49667 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49673
+
+	[-] RPC Client:
+
+		rpcclient -p 49673 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49695
+
+	[-] RPC Client:
+
+		rpcclient -p 49695 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49843
+
+	[-] RPC Client:
+
+		rpcclient -p 49843 -U "" 10.129.243.131
+
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] domain on udp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt
+
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d megacorp.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d 'megacorp.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d 'megacorp.htb' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] msrpc on tcp/49667
+
+	[-] RPC Client:
+
+		rpcclient -p 49667 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49695
+
+	[-] RPC Client:
+
+		rpcclient -p 49695 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49843
+
+	[-] RPC Client:
+
+		rpcclient -p 49843 -U "" 10.129.243.131
+
+[*] domain on udp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d megacorp.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_patterns.log

@@ -0,0 +1,8 @@
+Identified Architecture: 64-bit
+
+Identified HTTP Server: Microsoft-IIS/10.0
+
+Identified Architecture: 64-bit
+
+Identified HTTP Server: Microsoft-IIS/10.0
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt

@@ -0,0 +1,67 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.061s latency).
+Scanned at 2023-10-28 14:23:46 CEST for 449s
+Not shown: 988 filtered tcp ports (no-response)
+PORT     STATE SERVICE       REASON          VERSION
+53/tcp   open  domain?       syn-ack ttl 127
+80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
+|_http-title: Slandovia Energy
+| http-methods: 
+|   Supported Methods: OPTIONS TRACE GET HEAD POST
+|_  Potentially risky methods: TRACE
+88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:23:58Z)
+135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
+389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+445/tcp  open  microsoft-ds? syn-ack ttl 127
+464/tcp  open  kpasswd5?     syn-ack ttl 127
+593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp  open  tcpwrapped    syn-ack ttl 127
+3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp open  tcpwrapped    syn-ack ttl 127
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
+No OS matches for host
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CFF13%P=x86_64-pc-linux-gnu)
+SEQ(SP=108%GCD=1%ISR=10A%TS=U)
+OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
+WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
+ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
+T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
+T2(R=N)
+T3(R=N)
+T4(R=N)
+U1(R=N)
+IE(R=Y%DFI=N%TG=80%CD=Z)
+
+Network Distance: 2 hops
+TCP Sequence Prediction: Difficulty=264 (Good luck!)
+IP ID Sequence Generation: Busy server or unknown class
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+|_clock-skew: 0s
+| smb2-time: 
+|   date: 2023-10-28T12:30:36
+|_  start_date: N/A
+| p2p-conficker: 
+|   Checking for Conficker.C or higher...
+|   Check 1 (port 25314/tcp): CLEAN (Timeout)
+|   Check 2 (port 10793/tcp): CLEAN (Timeout)
+|   Check 3 (port 25536/udp): CLEAN (Timeout)
+|   Check 4 (port 25523/udp): CLEAN (Timeout)
+|_  0/4 checks are positive: Host is CLEAN or ports are blocked
+
+TRACEROUTE (using port 53/tcp)
+HOP RTT      ADDRESS
+1   74.01 ms 10.10.14.1
+2   74.05 ms megacorp.htb (10.129.243.131)
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:31:15 2023 -- 1 IP address (1 host up) scanned in 449.29 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt

@@ -0,0 +1,38 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.055s latency).
+Scanned at 2023-10-28 14:23:46 CEST for 1767s
+Not shown: 97 open|filtered udp ports (no-response)
+PORT    STATE SERVICE      REASON               VERSION
+53/udp  open  domain       udp-response         (generic dns response: SERVFAIL)
+| fingerprint-strings: 
+|   NBTStat: 
+|_    CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+88/udp  open  kerberos-sec udp-response         Microsoft Windows Kerberos (server time: 2023-10-28 12:23:58Z)
+123/udp open  ntp          udp-response ttl 127 NTP v3
+| ntp-info: 
+|_  receive time stamp: 2023-10-28T12:30:46
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFD6C%P=x86_64-pc-linux-gnu%r(NBT
+SF:Stat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAA
+SF:AAAAAAAA\0\0!\0\x01");
+Too many fingerprints match this host to give specific OS details
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653D0439%P=x86_64-pc-linux-gnu)
+U1(R=N)
+IE(R=N)
+
+Network Distance: 2 hops
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+|_clock-skew: 14s
+
+TRACEROUTE (using port 123/udp)
+HOP RTT      ADDRESS
+1   44.38 ms 10.10.14.1
+2   57.06 ms megacorp.htb (10.129.243.131)
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:53:13 2023 -- 1 IP address (1 host up) scanned in 1767.23 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt

@@ -0,0 +1,6 @@
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Gathering OS architecture for 1 machines
+[*] Socket connect timeout set to 2 secs
+10.129.243.131 is 64-bit
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt

@@ -0,0 +1,12 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.62s latency).
+Scanned at 2023-10-28 14:27:56 CEST for 23s
+
+PORT    STATE SERVICE REASON          VERSION
+135/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:28:19 2023 -- 1 IP address (1 host up) scanned in 26.49 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt

@@ -0,0 +1,880 @@
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Retrieving endpoint list from 10.129.243.131
+Protocol: [MS-RSP]: Remote Shutdown Protocol
+Provider: wininit.exe
+UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49664]
+          ncalrpc:[WindowsShutdown]
+          ncacn_np:\\DC[\PIPE\InitShutdown]
+          ncalrpc:[WMsgKRpc089280]
+
+Protocol: N/A
+Provider: winlogon.exe
+UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0
+Bindings:
+          ncalrpc:[WindowsShutdown]
+          ncacn_np:\\DC[\PIPE\InitShutdown]
+          ncalrpc:[WMsgKRpc089280]
+          ncalrpc:[WMsgKRpc08A621]
+
+Protocol: N/A
+Provider: N/A
+UUID    : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0
+Bindings:
+          ncalrpc:[csebpub]
+          ncalrpc:[LRPC-6b54d635557b62ca53]
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+          ncalrpc:[LRPC-a91e72435259adddfa]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0
+Bindings:
+          ncalrpc:[LRPC-6b54d635557b62ca53]
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0
+Bindings:
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : DD59071B-3215-4C59-8481-972EDADC0F6A v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0D47017B-B33B-46AD-9E18-FE96456C5078 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 95406F0B-B239-4318-91BB-CEA3A46FF0DC v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 4ED8ABCC-F1E2-438B-981F-BB0E8ABC010C v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0FF1F646-13BB-400A-AB50-9A78F2B7A85A v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 6982A06E-5FE2-46B1-B39C-A2C545BFA069 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 082A3471-31B6-422A-B931-A54401960C62 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : FAE436B0-B864-4A87-9EDA-298547CD82F2 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : E53D94CA-7464-4839-B044-09A2FB8B3AE5 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 178D84BE-9291-4994-82C6-3F909ACA5A03 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 4DACE966-A243-4450-AE3F-9B7BCB5315B8 v2.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 1832BCF6-CAB8-41D4-85D2-C9410764F75A v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C521FACF-09A9-42C5-B155-72388595CBF0 v0.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2C7FD9CE-E706-4B40-B412-953107EF9BB0 v0.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 88ABCBC3-34EA-76AE-8215-767520655A23 v0.0
+Bindings:
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 76C217BC-C8B4-4201-A745-373AD9032B1A v1.0
+Bindings:
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 55E6B932-1979-45D6-90C5-7F6270724112 v1.0
+Bindings:
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 857FB1BE-084F-4FB5-B59C-4B2C4BE5F0CF v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B8CADBAF-E84B-46B9-84F2-6F71C03F9E55 v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 20C40295-8DBA-48E6-AEBF-3E78EF3BB144 v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2513BCBE-6CD4-4348-855E-7EFB3C336DD3 v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0D3E2735-CEA0-4ECC-A9E2-41A2D81AED4E v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C605F9FB-F0A3-4E2A-A073-73560F8D9E3E v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 1B37CA91-76B1-4F5E-A3C7-2ABFC61F2BB0 v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 8BFC3BE1-6DEF-4E2D-AF74-7C47CD0ADE4A v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2D98A740-581D-41B9-AA0D-A88B9D5CE938 v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0361AE94-0316-4C6C-8AD8-C594375800E2 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 5824833B-3C1A-4AD2-BDFD-C31D19E23ED2 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : BDAA0970-413B-4A3E-9E5D-F6DC9D7E0760 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 3B338D89-6CFA-44B8-847E-531531BC9992 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 8782D3B9-EBBD-4644-A3D8-E8725381919B v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 085B0334-E454-4D91-9B8C-4134F9E793F3 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 4BEC6BB8-B5C2-4B6F-B2C1-5DA5CF92D0D9 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: sysntfy.dll
+UUID    : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
+Bindings:
+          ncalrpc:[LRPC-78c65697da0c3cb9e7]
+          ncalrpc:[LRPC-5d1d91fbc9832f3673]
+          ncalrpc:[IUserProfile2]
+          ncalrpc:[LRPC-7f9f9d7e564fa27a15]
+          ncalrpc:[senssvc]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+          ncalrpc:[LRPC-2d7a6fcd1e6a5d90b0]
+          ncalrpc:[OLE59700168EED37EDF88950A0917DC]
+
+Protocol: N/A
+Provider: nsisvc.dll
+UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
+Bindings:
+          ncalrpc:[LRPC-9ec11ee764d799175d]
+
+Protocol: N/A
+Provider: nrpsrv.dll
+UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
+Bindings:
+          ncalrpc:[LRPC-99bbae991f0f6e961a]
+
+Protocol: N/A
+Provider: N/A
+UUID    : E40F7B57-7A25-4CD3-A135-7F7D3DF9D16B v1.0 Network Connection Broker server endpoint
+Bindings:
+          ncalrpc:[LRPC-95313533ddc887d499]
+          ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4]
+          ncalrpc:[LRPC-4f7c4b35ddfa33800c]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 880FD55E-43B9-11E0-B1A8-CF4EDFD72085 v1.0 KAPI Service endpoint
+Bindings:
+          ncalrpc:[LRPC-95313533ddc887d499]
+          ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4]
+          ncalrpc:[LRPC-4f7c4b35ddfa33800c]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 5222821F-D5E2-4885-84F1-5F6185A0EC41 v1.0 Network Connection Broker server endpoint for NCB Reset module
+Bindings:
+          ncalrpc:[LRPC-4f7c4b35ddfa33800c]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+
+Protocol: N/A
+Provider: N/A
+UUID    : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0
+Bindings:
+          ncalrpc:[LRPC-7d4055d4f64c73ef42]
+          ncalrpc:[LRPC-a91e72435259adddfa]
+
+Protocol: N/A
+Provider: dhcpcsvc.dll
+UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
+Bindings:
+          ncalrpc:[dhcpcsvc]
+          ncalrpc:[dhcpcsvc6]
+
+Protocol: N/A
+Provider: dhcpcsvc6.dll
+UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
+Bindings:
+          ncalrpc:[dhcpcsvc6]
+
+Protocol: [MS-EVEN6]: EventLog Remoting Protocol
+Provider: wevtsvc.dll
+UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49665]
+          ncacn_np:\\DC[\pipe\eventlog]
+          ncalrpc:[eventlog]
+
+Protocol: N/A
+Provider: gpsvc.dll
+UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
+Bindings:
+          ncalrpc:[LRPC-1e815b36ff28d761c1]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49666]
+          ncalrpc:[LRPC-3e1dbf52587c9cea33]
+          ncalrpc:[ubpmtaskhostchannel]
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
+Provider: schedsvc.dll
+UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49666]
+          ncalrpc:[LRPC-3e1dbf52587c9cea33]
+          ncalrpc:[ubpmtaskhostchannel]
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0
+Bindings:
+          ncalrpc:[LRPC-3e1dbf52587c9cea33]
+          ncalrpc:[ubpmtaskhostchannel]
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
+Provider: taskcomp.dll
+UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0
+Bindings:
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
+Provider: taskcomp.dll
+UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
+Bindings:
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: N/A
+Provider: schedsvc.dll
+UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0
+Bindings:
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: N/A
+Provider: MPSSVC.dll
+UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
+Bindings:
+          ncalrpc:[LRPC-a3db541015ee3b4092]
+          ncalrpc:[LRPC-25295713f276d13d17]
+          ncalrpc:[LRPC-61500542b0c0f189c2]
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
+Bindings:
+          ncalrpc:[LRPC-25295713f276d13d17]
+          ncalrpc:[LRPC-61500542b0c0f189c2]
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: MPSSVC.dll
+UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
+Bindings:
+          ncalrpc:[LRPC-61500542b0c0f189c2]
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: BFE.DLL
+UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
+Bindings:
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
+Bindings:
+          ncacn_np:\\DC[\PIPE\wkssvc]
+          ncalrpc:[LRPC-0a9c64a79e96914cf8]
+
+Protocol: N/A
+Provider: N/A
+UUID    : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
+Bindings:
+          ncalrpc:[LRPC-0a9c64a79e96914cf8]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
+Bindings:
+          ncalrpc:[LRPC-0a9c64a79e96914cf8]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
+Bindings:
+          ncalrpc:[OLE5FCB0823110EF79154A84BC1C955]
+          ncalrpc:[TeredoControl]
+          ncalrpc:[TeredoDiagnostics]
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
+Bindings:
+          ncalrpc:[TeredoControl]
+          ncalrpc:[TeredoDiagnostics]
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
+Bindings:
+          ncalrpc:[TeredoControl]
+          ncalrpc:[TeredoDiagnostics]
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: iphlpsvc.dll
+UUID    : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
+Bindings:
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
+Bindings:
+          ncalrpc:[LRPC-0f23b80e8c8e8083c8]
+          ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
+Bindings:
+          ncalrpc:[LRPC-0f23b80e8c8e8083c8]
+          ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-NRPC]: Netlogon Remote Protocol
+Provider: netlogon.dll
+UUID    : 12345678-1234-ABCD-EF00-01234567CFFB v1.0
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-RAA]: Remote Authorization API Protocol
+Provider: N/A
+UUID    : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote
+Provider: lsasrv.dll
+UUID    : 12345778-1234-ABCD-EF00-0123456789AB v0.0
+Bindings:
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol
+Provider: ntdsai.dll
+UUID    : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
+Bindings:
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol
+Provider: samsrv.dll
+UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
+Bindings:
+          ncalrpc:[LRPC-f4293e3b5b9ae5cb28]
+
+Protocol: N/A
+Provider: srvsvc.dll
+UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
+Bindings:
+          ncalrpc:[LRPC-f4293e3b5b9ae5cb28]
+
+Protocol: N/A
+Provider: sysmain.dll
+UUID    : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0
+Bindings:
+          ncalrpc:[LRPC-6ba6be7619ad5499b5]
+
+Protocol: N/A
+Provider: N/A
+UUID    : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
+Bindings:
+          ncalrpc:[LRPC-e9c9cb51676dd7958e]
+
+Protocol: N/A
+Provider: IKEEXT.DLL
+UUID    : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
+Bindings:
+          ncalrpc:[LRPC-a6cbf0f8554ac2dd0e]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 650A7E26-EAB8-5533-CE43-9C1DFCE11511 v1.0 Vpn APIs
+Bindings:
+          ncalrpc:[LRPC-78511121f1275f430c]
+          ncalrpc:[VpnikeRpc]
+          ncalrpc:[RasmanLrpc]
+          ncacn_np:\\DC[\PIPE\ROUTER]
+
+Protocol: [MS-SCMR]: Service Control Manager Remote Protocol
+Provider: services.exe
+UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49678]
+
+Protocol: [MS-CMPO]: MSDTC Connection Manager:
+Provider: msdtcprx.dll
+UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0
+Bindings:
+          ncalrpc:[LRPC-3bcaafee1590c0de20]
+          ncalrpc:[OLE17B51056E4D45A611212712C1451]
+          ncalrpc:[LRPC-9c5b8ea96b2f264739]
+          ncalrpc:[LRPC-9c5b8ea96b2f264739]
+          ncalrpc:[LRPC-9c5b8ea96b2f264739]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0
+Bindings:
+          ncalrpc:[LRPC-802031e034c1f025bd]
+
+Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management
+Provider: dns.exe
+UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49695]
+
+Protocol: [MS-FRS2]: Distributed File System Replication Protocol
+Provider: dfsrmig.exe
+UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49843]
+          ncalrpc:[OLECF74F747061ABA28294F2BDC6FF0]
+
+Protocol: N/A
+Provider: N/A
+UUID    : BF4DC912-E52F-4904-8EBE-9317C1BDD497 v1.0
+Bindings:
+          ncalrpc:[LRPC-92939372b55364a6c8]
+          ncalrpc:[OLE9D9AB6AB4D22AD38C10DD1548060]
+
+[*] Received 405 endpoints.
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 135 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 135 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="135"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="SYN Stealth Scan" time="1698496076"/>
+<taskend task="SYN Stealth Scan" time="1698496078" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496078"/>
+<taskend task="Service scan" time="1698496084" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496084"/>
+<taskend task="NSE" time="1698496099"/>
+<taskbegin task="NSE" time="1698496099"/>
+<taskend task="NSE" time="1698496099"/>
+<host starttime="1698496076" endtime="1698496099"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
+</ports>
+<times srtt="624808" rttvar="624808" to="1250000"/>
+</host>
+<taskbegin task="NSE" time="1698496099"/>
+<taskend task="NSE" time="1698496099"/>
+<taskbegin task="NSE" time="1698496099"/>
+<taskend task="NSE" time="1698496099"/>
+<runstats><finished time="1698496099" timestr="Sat Oct 28 14:28:19 2023" summary="Nmap done at Sat Oct 28 14:28:19 2023; 1 IP address (1 host up) scanned in 26.49 seconds" elapsed="26.49" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt

@@ -0,0 +1,139 @@
+Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 28 14:27:53 2023
+
+ =========================================( Target Information )=========================================
+
+Target ........... 10.129.243.131
+RID Range ........ 500-550,1000-1050
+Username ......... ''
+Password ......... ''
+Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
+
+
+ ===========================( Enumerating Workgroup/Domain on 10.129.243.131 )===========================
+
+
+[E] Can't find workgroup/domain
+
+
+
+ ===============================( Nbtstat Information for 10.129.243.131 )===============================
+
+Looking up status of 10.129.243.131
+No reply from 10.129.243.131
+
+ ==================================( Session Check on 10.129.243.131 )==================================
+
+
+[+] Server 10.129.243.131 allows sessions using username '', password ''
+
+
+ ==========================( Getting information via LDAP for 10.129.243.131 )==========================
+
+
+[+] 10.129.243.131 appears to be a child DC
+
+
+ ===============================( Getting domain SID for 10.129.243.131 )===============================
+
+Domain Name: MEGACORP
+Domain Sid: S-1-5-21-855300830-391258870-456067225
+
+[+] Host is part of a domain (not a workgroup)
+
+
+ ==================================( OS information on 10.129.243.131 )==================================
+
+
+[E] Can't get OS info with smbclient
+
+
+[+] Got OS info for 10.129.243.131 from srvinfo:
+do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
+
+
+ ======================================( Users on 10.129.243.131 )======================================
+
+
+[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
+
+
+
+[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
+
+
+ ===============================( Machine Enumeration on 10.129.243.131 )===============================
+
+
+[E] Not implemented in this version of enum4linux.
+
+
+ ================================( Share Enumeration on 10.129.243.131 )================================
+
+do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+
+	Sharename       Type      Comment
+	---------       ----      -------
+Reconnecting with SMB1 for workgroup listing.
+Unable to connect with SMB1 -- no workgroup available
+
+[+] Attempting to map shares on 10.129.243.131
+
+
+ ===========================( Password Policy Information for 10.129.243.131 )===========================
+
+
+[E] Unexpected error from polenum:
+
+
+
+[+] Attaching to 10.129.243.131 using a NULL share
+
+[+] Trying protocol 139/SMB...
+
+	[!] Protocol failed: Cannot request session (Called Name:10.129.243.131)
+
+[+] Trying protocol 445/SMB...
+
+	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
+
+
+
+[E] Failed to get password policy with rpcclient
+
+
+
+ ======================================( Groups on 10.129.243.131 )======================================
+
+
+[+] Getting builtin groups:
+
+
+[+]  Getting builtin group memberships:
+
+
+[+]  Getting local groups:
+
+
+[+]  Getting local group memberships:
+
+
+[+]  Getting domain groups:
+
+
+[+]  Getting domain group memberships:
+
+
+ =================( Users on 10.129.243.131 via RID cycling (RIDS: 500-550,1000-1050) )=================
+
+
+[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
+
+
+ ==============================( Getting printer info for 10.129.243.131 )==============================
+
+do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
+
+
+enum4linux complete on Sat Oct 28 14:28:33 2023
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt

@@ -0,0 +1,3 @@
+Doing NBT name scan for addresses from 10.129.243.131
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt

@@ -0,0 +1,8 @@
+do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+Anonymous login successful
+
+	Sharename       Type      Comment
+	---------       ----      -------
+Reconnecting with SMB1 for workgroup listing.
+Unable to connect with SMB1 -- no workgroup available
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt

@@ -0,0 +1,3 @@
+[!] RPC Authentication error occurred
+[!] Authentication error on 10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt

@@ -0,0 +1,3 @@
+[!] RPC Authentication error occurred
+[!] Authentication error on 10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt

@@ -0,0 +1,3 @@
+[!] RPC Authentication error occurred
+[!] Authentication error on 10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt

@@ -0,0 +1,22 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.036s latency).
+Scanned at 2023-10-28 14:27:57 CEST for 41s
+
+PORT    STATE SERVICE     REASON          VERSION
+139/tcp open  netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
+|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+|_smb2-time: ERROR: Script execution failed (use -d to debug)
+|_smb-protocols: No dialects accepted. Something may be blocking the responses
+|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
+|_smb-mbenum: ERROR: Script execution failed (use -d to debug)
+|_smb2-capabilities: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
+|_smb-vuln-ms10-061: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
+|_smb-print-text: false
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:28:38 2023 -- 1 IP address (1 host up) scanned in 45.20 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 139 &quot;-&#45;script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 139 &quot;-&#45;script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="139"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="SYN Stealth Scan" time="1698496077"/>
+<taskend task="SYN Stealth Scan" time="1698496077" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496077"/>
+<taskend task="Service scan" time="1698496084" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496084"/>
+<taskprogress task="NSE" time="1698496115" percent="97.14" remaining="1" etc="1698496116"/>
+<taskend task="NSE" time="1698496116"/>
+<taskbegin task="NSE" time="1698496116"/>
+<taskend task="NSE" time="1698496118"/>
+<taskbegin task="NSE" time="1698496118"/>
+<taskend task="NSE" time="1698496118"/>
+<host starttime="1698496077" endtime="1698496118"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="netbios-ssn" product="Microsoft Windows netbios-ssn" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service><script id="smb-enum-services" output="ERROR: Script execution failed (use -d to debug)"/></port>
+</ports>
+<hostscript><script id="smb2-time" output="ERROR: Script execution failed (use -d to debug)"/><script id="smb-protocols" output="No dialects accepted. Something may be blocking the responses"/><script id="smb2-security-mode" output="SMB: Couldn&apos;t find a NetBIOS name that works for the server. Sorry!">false</script><script id="smb-mbenum" output="ERROR: Script execution failed (use -d to debug)"/><script id="smb2-capabilities" output="SMB: Couldn&apos;t find a NetBIOS name that works for the server. Sorry!">false</script><script id="smb-vuln-ms10-061" output="SMB: Couldn&apos;t find a NetBIOS name that works for the server. Sorry!">false</script><script id="smb-print-text" output="false">false</script></hostscript><times srtt="35989" rttvar="35989" to="179945"/>
+</host>
+<taskbegin task="NSE" time="1698496118"/>
+<taskend task="NSE" time="1698496118"/>
+<taskbegin task="NSE" time="1698496118"/>
+<taskend task="NSE" time="1698496118"/>
+<taskbegin task="NSE" time="1698496118"/>
+<taskend task="NSE" time="1698496118"/>
+<runstats><finished time="1698496118" timestr="Sat Oct 28 14:28:38 2023" summary="Nmap done at Sat Oct 28 14:28:38 2023; 1 IP address (1 host up) scanned in 45.20 seconds" elapsed="45.20" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt

@@ -0,0 +1,108 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3268 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.050s latency).
+Scanned at 2023-10-28 14:27:57 CEST for 17s
+
+PORT     STATE SERVICE REASON          VERSION
+3268/tcp open  ldap    syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
+| ldap-rootdse: 
+| LDAP Results
+|   <ROOT>
+|       domainFunctionality: 7
+|       forestFunctionality: 7
+|       domainControllerFunctionality: 7
+|       rootDomainNamingContext: DC=MEGACORP,DC=LOCAL
+|       ldapServiceName: MEGACORP.LOCAL:dc$@MEGACORP.LOCAL
+|       isGlobalCatalogReady: TRUE
+|       supportedSASLMechanisms: GSSAPI
+|       supportedSASLMechanisms: GSS-SPNEGO
+|       supportedSASLMechanisms: EXTERNAL
+|       supportedSASLMechanisms: DIGEST-MD5
+|       supportedLDAPVersion: 3
+|       supportedLDAPVersion: 2
+|       supportedLDAPPolicies: MaxPoolThreads
+|       supportedLDAPPolicies: MaxPercentDirSyncRequests
+|       supportedLDAPPolicies: MaxDatagramRecv
+|       supportedLDAPPolicies: MaxReceiveBuffer
+|       supportedLDAPPolicies: InitRecvTimeout
+|       supportedLDAPPolicies: MaxConnections
+|       supportedLDAPPolicies: MaxConnIdleTime
+|       supportedLDAPPolicies: MaxPageSize
+|       supportedLDAPPolicies: MaxBatchReturnMessages
+|       supportedLDAPPolicies: MaxQueryDuration
+|       supportedLDAPPolicies: MaxDirSyncDuration
+|       supportedLDAPPolicies: MaxTempTableSize
+|       supportedLDAPPolicies: MaxResultSetSize
+|       supportedLDAPPolicies: MinResultSets
+|       supportedLDAPPolicies: MaxResultSetsPerConn
+|       supportedLDAPPolicies: MaxNotificationPerConn
+|       supportedLDAPPolicies: MaxValRange
+|       supportedLDAPPolicies: MaxValRangeTransitive
+|       supportedLDAPPolicies: ThreadMemoryLimit
+|       supportedLDAPPolicies: SystemMemoryLimitPercent
+|       supportedControl: 1.2.840.113556.1.4.319
+|       supportedControl: 1.2.840.113556.1.4.801
+|       supportedControl: 1.2.840.113556.1.4.473
+|       supportedControl: 1.2.840.113556.1.4.528
+|       supportedControl: 1.2.840.113556.1.4.417
+|       supportedControl: 1.2.840.113556.1.4.619
+|       supportedControl: 1.2.840.113556.1.4.841
+|       supportedControl: 1.2.840.113556.1.4.529
+|       supportedControl: 1.2.840.113556.1.4.805
+|       supportedControl: 1.2.840.113556.1.4.521
+|       supportedControl: 1.2.840.113556.1.4.970
+|       supportedControl: 1.2.840.113556.1.4.1338
+|       supportedControl: 1.2.840.113556.1.4.474
+|       supportedControl: 1.2.840.113556.1.4.1339
+|       supportedControl: 1.2.840.113556.1.4.1340
+|       supportedControl: 1.2.840.113556.1.4.1413
+|       supportedControl: 2.16.840.1.113730.3.4.9
+|       supportedControl: 2.16.840.1.113730.3.4.10
+|       supportedControl: 1.2.840.113556.1.4.1504
+|       supportedControl: 1.2.840.113556.1.4.1852
+|       supportedControl: 1.2.840.113556.1.4.802
+|       supportedControl: 1.2.840.113556.1.4.1907
+|       supportedControl: 1.2.840.113556.1.4.1948
+|       supportedControl: 1.2.840.113556.1.4.1974
+|       supportedControl: 1.2.840.113556.1.4.1341
+|       supportedControl: 1.2.840.113556.1.4.2026
+|       supportedControl: 1.2.840.113556.1.4.2064
+|       supportedControl: 1.2.840.113556.1.4.2065
+|       supportedControl: 1.2.840.113556.1.4.2066
+|       supportedControl: 1.2.840.113556.1.4.2090
+|       supportedControl: 1.2.840.113556.1.4.2205
+|       supportedControl: 1.2.840.113556.1.4.2204
+|       supportedControl: 1.2.840.113556.1.4.2206
+|       supportedControl: 1.2.840.113556.1.4.2211
+|       supportedControl: 1.2.840.113556.1.4.2239
+|       supportedControl: 1.2.840.113556.1.4.2255
+|       supportedControl: 1.2.840.113556.1.4.2256
+|       supportedControl: 1.2.840.113556.1.4.2309
+|       supportedControl: 1.2.840.113556.1.4.2330
+|       supportedControl: 1.2.840.113556.1.4.2354
+|       supportedCapabilities: 1.2.840.113556.1.4.800
+|       supportedCapabilities: 1.2.840.113556.1.4.1670
+|       supportedCapabilities: 1.2.840.113556.1.4.1791
+|       supportedCapabilities: 1.2.840.113556.1.4.1935
+|       supportedCapabilities: 1.2.840.113556.1.4.2080
+|       supportedCapabilities: 1.2.840.113556.1.4.2237
+|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       schemaNamingContext: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       namingContexts: DC=MEGACORP,DC=LOCAL
+|       namingContexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       namingContexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       namingContexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
+|       namingContexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
+|       isSynchronized: TRUE
+|       highestCommittedUSN: 77897
+|       dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       dnsHostName: DC.MEGACORP.LOCAL
+|       defaultNamingContext: DC=MEGACORP,DC=LOCAL
+|       currentTime: 20231028122804.0Z
+|_      configurationNamingContext: CN=Configuration,DC=MEGACORP,DC=LOCAL
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:28:14 2023 -- 1 IP address (1 host up) scanned in 21.16 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt

@@ -0,0 +1,108 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 389 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.036s latency).
+Scanned at 2023-10-28 14:27:57 CEST for 17s
+
+PORT    STATE SERVICE REASON          VERSION
+389/tcp open  ldap    syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
+| ldap-rootdse: 
+| LDAP Results
+|   <ROOT>
+|       domainFunctionality: 7
+|       forestFunctionality: 7
+|       domainControllerFunctionality: 7
+|       rootDomainNamingContext: DC=MEGACORP,DC=LOCAL
+|       ldapServiceName: MEGACORP.LOCAL:dc$@MEGACORP.LOCAL
+|       isGlobalCatalogReady: TRUE
+|       supportedSASLMechanisms: GSSAPI
+|       supportedSASLMechanisms: GSS-SPNEGO
+|       supportedSASLMechanisms: EXTERNAL
+|       supportedSASLMechanisms: DIGEST-MD5
+|       supportedLDAPVersion: 3
+|       supportedLDAPVersion: 2
+|       supportedLDAPPolicies: MaxPoolThreads
+|       supportedLDAPPolicies: MaxPercentDirSyncRequests
+|       supportedLDAPPolicies: MaxDatagramRecv
+|       supportedLDAPPolicies: MaxReceiveBuffer
+|       supportedLDAPPolicies: InitRecvTimeout
+|       supportedLDAPPolicies: MaxConnections
+|       supportedLDAPPolicies: MaxConnIdleTime
+|       supportedLDAPPolicies: MaxPageSize
+|       supportedLDAPPolicies: MaxBatchReturnMessages
+|       supportedLDAPPolicies: MaxQueryDuration
+|       supportedLDAPPolicies: MaxDirSyncDuration
+|       supportedLDAPPolicies: MaxTempTableSize
+|       supportedLDAPPolicies: MaxResultSetSize
+|       supportedLDAPPolicies: MinResultSets
+|       supportedLDAPPolicies: MaxResultSetsPerConn
+|       supportedLDAPPolicies: MaxNotificationPerConn
+|       supportedLDAPPolicies: MaxValRange
+|       supportedLDAPPolicies: MaxValRangeTransitive
+|       supportedLDAPPolicies: ThreadMemoryLimit
+|       supportedLDAPPolicies: SystemMemoryLimitPercent
+|       supportedControl: 1.2.840.113556.1.4.319
+|       supportedControl: 1.2.840.113556.1.4.801
+|       supportedControl: 1.2.840.113556.1.4.473
+|       supportedControl: 1.2.840.113556.1.4.528
+|       supportedControl: 1.2.840.113556.1.4.417
+|       supportedControl: 1.2.840.113556.1.4.619
+|       supportedControl: 1.2.840.113556.1.4.841
+|       supportedControl: 1.2.840.113556.1.4.529
+|       supportedControl: 1.2.840.113556.1.4.805
+|       supportedControl: 1.2.840.113556.1.4.521
+|       supportedControl: 1.2.840.113556.1.4.970
+|       supportedControl: 1.2.840.113556.1.4.1338
+|       supportedControl: 1.2.840.113556.1.4.474
+|       supportedControl: 1.2.840.113556.1.4.1339
+|       supportedControl: 1.2.840.113556.1.4.1340
+|       supportedControl: 1.2.840.113556.1.4.1413
+|       supportedControl: 2.16.840.1.113730.3.4.9
+|       supportedControl: 2.16.840.1.113730.3.4.10
+|       supportedControl: 1.2.840.113556.1.4.1504
+|       supportedControl: 1.2.840.113556.1.4.1852
+|       supportedControl: 1.2.840.113556.1.4.802
+|       supportedControl: 1.2.840.113556.1.4.1907
+|       supportedControl: 1.2.840.113556.1.4.1948
+|       supportedControl: 1.2.840.113556.1.4.1974
+|       supportedControl: 1.2.840.113556.1.4.1341
+|       supportedControl: 1.2.840.113556.1.4.2026
+|       supportedControl: 1.2.840.113556.1.4.2064
+|       supportedControl: 1.2.840.113556.1.4.2065
+|       supportedControl: 1.2.840.113556.1.4.2066
+|       supportedControl: 1.2.840.113556.1.4.2090
+|       supportedControl: 1.2.840.113556.1.4.2205
+|       supportedControl: 1.2.840.113556.1.4.2204
+|       supportedControl: 1.2.840.113556.1.4.2206
+|       supportedControl: 1.2.840.113556.1.4.2211
+|       supportedControl: 1.2.840.113556.1.4.2239
+|       supportedControl: 1.2.840.113556.1.4.2255
+|       supportedControl: 1.2.840.113556.1.4.2256
+|       supportedControl: 1.2.840.113556.1.4.2309
+|       supportedControl: 1.2.840.113556.1.4.2330
+|       supportedControl: 1.2.840.113556.1.4.2354
+|       supportedCapabilities: 1.2.840.113556.1.4.800
+|       supportedCapabilities: 1.2.840.113556.1.4.1670
+|       supportedCapabilities: 1.2.840.113556.1.4.1791
+|       supportedCapabilities: 1.2.840.113556.1.4.1935
+|       supportedCapabilities: 1.2.840.113556.1.4.2080
+|       supportedCapabilities: 1.2.840.113556.1.4.2237
+|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       schemaNamingContext: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       namingContexts: DC=MEGACORP,DC=LOCAL
+|       namingContexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       namingContexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       namingContexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
+|       namingContexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
+|       isSynchronized: TRUE
+|       highestCommittedUSN: 77897
+|       dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MEGACORP,DC=LOCAL
+|       dnsHostName: DC.MEGACORP.LOCAL
+|       defaultNamingContext: DC=MEGACORP,DC=LOCAL
+|       currentTime: 20231028122804.0Z
+|_      configurationNamingContext: CN=Configuration,DC=MEGACORP,DC=LOCAL
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:28:14 2023 -- 1 IP address (1 host up) scanned in 21.47 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt

@@ -0,0 +1,2 @@
+[!] Authentication error on 10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt

@@ -0,0 +1,2 @@
+[!] Authentication error on 10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt

@@ -0,0 +1,2 @@
+[!] Authentication error on 10.129.243.131
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt

@@ -0,0 +1,50 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.031s latency).
+Scanned at 2023-10-28 14:27:57 CEST for 50s
+
+PORT    STATE SERVICE       REASON          VERSION
+445/tcp open  microsoft-ds? syn-ack ttl 127
+|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
+
+Host script results:
+| smb2-capabilities: 
+|   202: 
+|     Distributed File System
+|   210: 
+|     Distributed File System
+|     Leasing
+|     Multi-credit operations
+|   300: 
+|     Distributed File System
+|     Leasing
+|     Multi-credit operations
+|   302: 
+|     Distributed File System
+|     Leasing
+|     Multi-credit operations
+|   311: 
+|     Distributed File System
+|     Leasing
+|_    Multi-credit operations
+|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
+|_smb-print-text: false
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+| smb-protocols: 
+|   dialects: 
+|     202
+|     210
+|     300
+|     302
+|_    311
+| smb2-time: 
+|   date: 2023-10-28T12:28:09
+|_  start_date: N/A
+| smb-mbenum: 
+|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:28:47 2023 -- 1 IP address (1 host up) scanned in 54.80 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 445 &quot;-&#45;script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 445 &quot;-&#45;script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="445"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="SYN Stealth Scan" time="1698496077"/>
+<taskend task="SYN Stealth Scan" time="1698496077" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496078"/>
+<taskend task="Service scan" time="1698496086" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496086"/>
+<taskprogress task="NSE" time="1698496117" percent="94.29" remaining="2" etc="1698496119"/>
+<taskend task="NSE" time="1698496126"/>
+<taskbegin task="NSE" time="1698496126"/>
+<taskend task="NSE" time="1698496127"/>
+<taskbegin task="NSE" time="1698496127"/>
+<taskend task="NSE" time="1698496127"/>
+<host starttime="1698496077" endtime="1698496127"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="microsoft-ds" method="table" conf="3"/><script id="smb-enum-services" output="ERROR: Script execution failed (use -d to debug)"/></port>
+</ports>
+<hostscript><script id="smb2-capabilities" output="&#xa;  202: &#xa;    Distributed File System&#xa;  210: &#xa;    Distributed File System&#xa;    Leasing&#xa;    Multi-credit operations&#xa;  300: &#xa;    Distributed File System&#xa;    Leasing&#xa;    Multi-credit operations&#xa;  302: &#xa;    Distributed File System&#xa;    Leasing&#xa;    Multi-credit operations&#xa;  311: &#xa;    Distributed File System&#xa;    Leasing&#xa;    Multi-credit operations"><table key="202">
+<elem>Distributed File System</elem>
+</table>
+<table key="210">
+<elem>Distributed File System</elem>
+<elem>Leasing</elem>
+<elem>Multi-credit operations</elem>
+</table>
+<table key="300">
+<elem>Distributed File System</elem>
+<elem>Leasing</elem>
+<elem>Multi-credit operations</elem>
+</table>
+<table key="302">
+<elem>Distributed File System</elem>
+<elem>Leasing</elem>
+<elem>Multi-credit operations</elem>
+</table>
+<table key="311">
+<elem>Distributed File System</elem>
+<elem>Leasing</elem>
+<elem>Multi-credit operations</elem>
+</table>
+</script><script id="smb-vuln-ms10-061" output="Could not negotiate a connection:SMB: Failed to receive bytes: ERROR">false</script><script id="smb-print-text" output="false">false</script><script id="smb2-security-mode" output="&#xa;  311: &#xa;    Message signing enabled and required"><table key="311">
+<elem>Message signing enabled and required</elem>
+</table>
+</script><script id="smb-protocols" output="&#xa;  dialects: &#xa;    202&#xa;    210&#xa;    300&#xa;    302&#xa;    311"><table key="dialects">
+<elem>202</elem>
+<elem>210</elem>
+<elem>300</elem>
+<elem>302</elem>
+<elem>311</elem>
+</table>
+</script><script id="smb2-time" output="&#xa;  date: 2023-10-28T12:28:09&#xa;  start_date: N/A"><elem key="date">2023-10-28T12:28:09</elem>
+<elem key="start_date">N/A</elem>
+</script><script id="smb-mbenum" output="&#xa;  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR"/></hostscript><times srtt="31123" rttvar="31123" to="155615"/>
+</host>
+<taskbegin task="NSE" time="1698496127"/>
+<taskend task="NSE" time="1698496127"/>
+<taskbegin task="NSE" time="1698496127"/>
+<taskend task="NSE" time="1698496127"/>
+<taskbegin task="NSE" time="1698496127"/>
+<taskend task="NSE" time="1698496127"/>
+<runstats><finished time="1698496127" timestr="Sat Oct 28 14:28:47 2023" summary="Nmap done at Sat Oct 28 14:28:47 2023; 1 IP address (1 host up) scanned in 54.80 seconds" elapsed="54.80" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt

@@ -0,0 +1,11 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 464 --script=banner,krb5-enum-users --script-args krb5-enum-users.realm=megacorp.htb,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.045s latency).
+Scanned at 2023-10-28 14:27:55 CEST for 19s
+
+PORT    STATE SERVICE   REASON          VERSION
+464/tcp open  kpasswd5? syn-ack ttl 127
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:28:14 2023 -- 1 IP address (1 host up) scanned in 21.63 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 464 -&#45;script=banner,krb5-enum-users -&#45;script-args krb5-enum-users.realm=megacorp.htb,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 464 -&#45;script=banner,krb5-enum-users -&#45;script-args krb5-enum-users.realm=megacorp.htb,userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="464"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496075"/>
+<taskend task="NSE" time="1698496075"/>
+<taskbegin task="NSE" time="1698496075"/>
+<taskend task="NSE" time="1698496075"/>
+<taskbegin task="SYN Stealth Scan" time="1698496075"/>
+<taskend task="SYN Stealth Scan" time="1698496075" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496075"/>
+<taskend task="Service scan" time="1698496084" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496084"/>
+<taskend task="NSE" time="1698496094"/>
+<taskbegin task="NSE" time="1698496094"/>
+<taskend task="NSE" time="1698496094"/>
+<host starttime="1698496075" endtime="1698496094"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="464"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="kpasswd5" method="table" conf="3"/></port>
+</ports>
+<times srtt="44884" rttvar="44884" to="224420"/>
+</host>
+<taskbegin task="NSE" time="1698496094"/>
+<taskend task="NSE" time="1698496094"/>
+<taskbegin task="NSE" time="1698496094"/>
+<taskend task="NSE" time="1698496094"/>
+<runstats><finished time="1698496094" timestr="Sat Oct 28 14:28:14 2023" summary="Nmap done at Sat Oct 28 14:28:14 2023; 1 IP address (1 host up) scanned in 21.63 seconds" elapsed="21.63" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt

@@ -0,0 +1,12 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 49667 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.44s latency).
+Scanned at 2023-10-28 14:27:56 CEST for 71s
+
+PORT      STATE SERVICE REASON          VERSION
+49667/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:29:07 2023 -- 1 IP address (1 host up) scanned in 73.96 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 49667 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 49667 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="49667"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="SYN Stealth Scan" time="1698496076"/>
+<taskend task="SYN Stealth Scan" time="1698496077" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496077"/>
+<taskend task="Service scan" time="1698496132" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496132"/>
+<taskend task="NSE" time="1698496147"/>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<host starttime="1698496076" endtime="1698496147"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="49667"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
+</ports>
+<times srtt="441625" rttvar="441625" to="1250000"/>
+</host>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<runstats><finished time="1698496147" timestr="Sat Oct 28 14:29:07 2023" summary="Nmap done at Sat Oct 28 14:29:07 2023; 1 IP address (1 host up) scanned in 73.96 seconds" elapsed="73.96" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt

@@ -0,0 +1,12 @@
+# Nmap 7.93 scan initiated Sat Oct 28 13:22:00 2023 as: nmap -vv --reason -Pn -T4 -sV -p 49673 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.034s latency).
+Scanned at 2023-10-28 13:22:15 CEST for 70s
+
+PORT      STATE SERVICE REASON          VERSION
+49673/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:23:25 2023 -- 1 IP address (1 host up) scanned in 84.39 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 13:22:00 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 49673 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 49673 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml 10.129.243.131" start="1698492120" startstr="Sat Oct 28 13:22:00 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="49673"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698492122"/>
+<taskend task="NSE" time="1698492122"/>
+<taskbegin task="NSE" time="1698492122"/>
+<taskend task="NSE" time="1698492122"/>
+<taskbegin task="Parallel DNS resolution of 1 host." time="1698492122"/>
+<taskend task="Parallel DNS resolution of 1 host." time="1698492135"/>
+<taskbegin task="SYN Stealth Scan" time="1698492135"/>
+<taskend task="SYN Stealth Scan" time="1698492135" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698492135"/>
+<taskend task="Service scan" time="1698492190" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698492190"/>
+<taskend task="NSE" time="1698492205"/>
+<taskbegin task="NSE" time="1698492205"/>
+<taskend task="NSE" time="1698492205"/>
+<host starttime="1698492135" endtime="1698492205"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+</hostnames>
+<ports><port protocol="tcp" portid="49673"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
+</ports>
+<times srtt="34493" rttvar="34493" to="172465"/>
+</host>
+<taskbegin task="NSE" time="1698492205"/>
+<taskend task="NSE" time="1698492205"/>
+<taskbegin task="NSE" time="1698492205"/>
+<taskend task="NSE" time="1698492205"/>
+<runstats><finished time="1698492205" timestr="Sat Oct 28 13:23:25 2023" summary="Nmap done at Sat Oct 28 13:23:25 2023; 1 IP address (1 host up) scanned in 84.39 seconds" elapsed="84.39" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt

@@ -0,0 +1,12 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 49695 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.46s latency).
+Scanned at 2023-10-28 14:27:56 CEST for 71s
+
+PORT      STATE SERVICE REASON          VERSION
+49695/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:29:07 2023 -- 1 IP address (1 host up) scanned in 73.88 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 49695 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 49695 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="49695"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="SYN Stealth Scan" time="1698496076"/>
+<taskend task="SYN Stealth Scan" time="1698496077" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496077"/>
+<taskend task="Service scan" time="1698496132" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496132"/>
+<taskend task="NSE" time="1698496147"/>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<host starttime="1698496076" endtime="1698496147"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="49695"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
+</ports>
+<times srtt="460057" rttvar="460057" to="1250000"/>
+</host>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<runstats><finished time="1698496147" timestr="Sat Oct 28 14:29:07 2023" summary="Nmap done at Sat Oct 28 14:29:07 2023; 1 IP address (1 host up) scanned in 73.88 seconds" elapsed="73.88" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt

@@ -0,0 +1,12 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 49843 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.46s latency).
+Scanned at 2023-10-28 14:27:56 CEST for 71s
+
+PORT      STATE SERVICE REASON          VERSION
+49843/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:29:07 2023 -- 1 IP address (1 host up) scanned in 73.91 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 49843 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 49843 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="49843"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="NSE" time="1698496076"/>
+<taskend task="NSE" time="1698496076"/>
+<taskbegin task="SYN Stealth Scan" time="1698496076"/>
+<taskend task="SYN Stealth Scan" time="1698496077" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496077"/>
+<taskend task="Service scan" time="1698496132" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496132"/>
+<taskend task="NSE" time="1698496147"/>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<host starttime="1698496076" endtime="1698496147"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="49843"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
+</ports>
+<times srtt="461435" rttvar="461435" to="1250000"/>
+</host>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<taskbegin task="NSE" time="1698496147"/>
+<taskend task="NSE" time="1698496147"/>
+<runstats><finished time="1698496147" timestr="Sat Oct 28 14:29:07 2023" summary="Nmap done at Sat Oct 28 14:29:07 2023; 1 IP address (1 host up) scanned in 73.91 seconds" elapsed="73.91" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt

@@ -0,0 +1,26 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.035s latency).
+Scanned at 2023-10-28 14:27:57 CEST for 164s
+
+PORT   STATE SERVICE REASON          VERSION
+53/tcp open  domain? syn-ack ttl 127
+| dns-nsec-enum: 
+|_  No NSEC records found
+| fingerprint-strings: 
+|   SSLSessionReq: 
+|_    1e8NgBanmCRTbV2FJOqv
+| dns-nsec3-enum: 
+|_  DNSSEC NSEC3 not supported
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port53-TCP:V=7.93%I=7%D=10/28%Time=653CFE83%P=x86_64-pc-linux-gnu%r(SSL
+SF:SessionReq,2C,"\0\*\x86L\x81\x82\0\x01\0\0\0\0\0\0\x141e8NgBanmCRTbV2FJ
+SF:Oqv\x03com\0\0\x1c\0\x01");
+
+Host script results:
+| dns-brute: 
+|_  DNS Brute-force hostnames: No results.
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:30:41 2023 -- 1 IP address (1 host up) scanned in 168.63 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt

@@ -0,0 +1,19 @@
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27975
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4000
+;; QUESTION SECTION:
+;131.243.129.10.in-addr.arpa.	IN	PTR
+
+;; Query time: 4536 msec
+;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
+;; WHEN: Sat Oct 28 14:28:02 CEST 2023
+;; MSG SIZE  rcvd: 56
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer-domain.txt

@@ -0,0 +1,6 @@
+
+; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131 megacorp.htb
+; (1 server found)
+;; global options: +cmd
+; Transfer failed.
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt

@@ -0,0 +1,11 @@
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
+; (1 server found)
+;; global options: +cmd
+;; Query time: 4756 msec
+;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
+;; WHEN: Sat Oct 28 14:28:03 CEST 2023
+;; MSG SIZE  rcvd: 28
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default.txt

@@ -0,0 +1,3 @@
+[*] std: Performing General Enumeration against: megacorp.htb...
+[-] Could not resolve domain: megacorp.htb
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 53 &quot;-&#45;script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 53 &quot;-&#45;script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="53"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="SYN Stealth Scan" time="1698496077"/>
+<taskend task="SYN Stealth Scan" time="1698496077" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496077"/>
+<taskend task="Service scan" time="1698496225" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496225"/>
+<taskend task="NSE" time="1698496240"/>
+<taskbegin task="NSE" time="1698496240"/>
+<taskend task="NSE" time="1698496241"/>
+<taskbegin task="NSE" time="1698496241"/>
+<taskend task="NSE" time="1698496241"/>
+<host starttime="1698496077" endtime="1698496241"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="53"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="domain" servicefp="SF-Port53-TCP:V=7.93%I=7%D=10/28%Time=653CFE83%P=x86_64-pc-linux-gnu%r(SSLSessionReq,2C,&quot;\0\*\x86L\x81\x82\0\x01\0\0\0\0\0\0\x141e8NgBanmCRTbV2FJOqv\x03com\0\0\x1c\0\x01&quot;);" method="table" conf="3"/><script id="dns-nsec-enum" output="&#xa;  No NSEC records found&#xa;"/><script id="fingerprint-strings" output="&#xa;  SSLSessionReq: &#xa;    1e8NgBanmCRTbV2FJOqv"><elem key="SSLSessionReq">&#xa;    1e8NgBanmCRTbV2FJOqv</elem>
+</script><script id="dns-nsec3-enum" output="&#xa;  DNSSEC NSEC3 not supported&#xa;"/></port>
+</ports>
+<hostscript><script id="dns-brute" output="&#xa;  DNS Brute-force hostnames: No results."><table key="DNS Brute-force hostnames">
+</table>
+</script></hostscript><times srtt="35361" rttvar="35361" to="176805"/>
+</host>
+<taskbegin task="NSE" time="1698496241"/>
+<taskend task="NSE" time="1698496241"/>
+<taskbegin task="NSE" time="1698496241"/>
+<taskend task="NSE" time="1698496241"/>
+<taskbegin task="NSE" time="1698496241"/>
+<taskend task="NSE" time="1698496241"/>
+<runstats><finished time="1698496241" timestr="Sat Oct 28 14:30:41 2023" summary="Nmap done at Sat Oct 28 14:30:41 2023; 1 IP address (1 host up) scanned in 168.63 seconds" elapsed="168.63" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt

@@ -0,0 +1,880 @@
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Retrieving endpoint list from 10.129.243.131
+Protocol: [MS-RSP]: Remote Shutdown Protocol
+Provider: wininit.exe
+UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49664]
+          ncalrpc:[WindowsShutdown]
+          ncacn_np:\\DC[\PIPE\InitShutdown]
+          ncalrpc:[WMsgKRpc089280]
+
+Protocol: N/A
+Provider: winlogon.exe
+UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0
+Bindings:
+          ncalrpc:[WindowsShutdown]
+          ncacn_np:\\DC[\PIPE\InitShutdown]
+          ncalrpc:[WMsgKRpc089280]
+          ncalrpc:[WMsgKRpc08A621]
+
+Protocol: N/A
+Provider: N/A
+UUID    : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0
+Bindings:
+          ncalrpc:[csebpub]
+          ncalrpc:[LRPC-6b54d635557b62ca53]
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+          ncalrpc:[LRPC-a91e72435259adddfa]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0
+Bindings:
+          ncalrpc:[LRPC-6b54d635557b62ca53]
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0
+Bindings:
+          ncalrpc:[LRPC-e71821bbfb97e6ac17]
+          ncalrpc:[LRPC-6b4af19739a6d01556]
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : DD59071B-3215-4C59-8481-972EDADC0F6A v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0D47017B-B33B-46AD-9E18-FE96456C5078 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 95406F0B-B239-4318-91BB-CEA3A46FF0DC v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 4ED8ABCC-F1E2-438B-981F-BB0E8ABC010C v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0FF1F646-13BB-400A-AB50-9A78F2B7A85A v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 6982A06E-5FE2-46B1-B39C-A2C545BFA069 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 082A3471-31B6-422A-B931-A54401960C62 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : FAE436B0-B864-4A87-9EDA-298547CD82F2 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : E53D94CA-7464-4839-B044-09A2FB8B3AE5 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 178D84BE-9291-4994-82C6-3F909ACA5A03 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 4DACE966-A243-4450-AE3F-9B7BCB5315B8 v2.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 1832BCF6-CAB8-41D4-85D2-C9410764F75A v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C521FACF-09A9-42C5-B155-72388595CBF0 v0.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2C7FD9CE-E706-4B40-B412-953107EF9BB0 v0.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 88ABCBC3-34EA-76AE-8215-767520655A23 v0.0
+Bindings:
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 76C217BC-C8B4-4201-A745-373AD9032B1A v1.0
+Bindings:
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 55E6B932-1979-45D6-90C5-7F6270724112 v1.0
+Bindings:
+          ncalrpc:[LRPC-baa5dfd3c285fa9f38]
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 857FB1BE-084F-4FB5-B59C-4B2C4BE5F0CF v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B8CADBAF-E84B-46B9-84F2-6F71C03F9E55 v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 20C40295-8DBA-48E6-AEBF-3E78EF3BB144 v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2513BCBE-6CD4-4348-855E-7EFB3C336DD3 v1.0
+Bindings:
+          ncalrpc:[LRPC-56be5249e855b3e1a2]
+          ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0D3E2735-CEA0-4ECC-A9E2-41A2D81AED4E v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C605F9FB-F0A3-4E2A-A073-73560F8D9E3E v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 1B37CA91-76B1-4F5E-A3C7-2ABFC61F2BB0 v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 8BFC3BE1-6DEF-4E2D-AF74-7C47CD0ADE4A v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2D98A740-581D-41B9-AA0D-A88B9D5CE938 v1.0
+Bindings:
+          ncalrpc:[LRPC-b02c899b61b7b8f1c9]
+          ncalrpc:[actkernel]
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0361AE94-0316-4C6C-8AD8-C594375800E2 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 5824833B-3C1A-4AD2-BDFD-C31D19E23ED2 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : BDAA0970-413B-4A3E-9E5D-F6DC9D7E0760 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 3B338D89-6CFA-44B8-847E-531531BC9992 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 8782D3B9-EBBD-4644-A3D8-E8725381919B v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 085B0334-E454-4D91-9B8C-4134F9E793F3 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 4BEC6BB8-B5C2-4B6F-B2C1-5DA5CF92D0D9 v1.0
+Bindings:
+          ncalrpc:[umpo]
+
+Protocol: N/A
+Provider: sysntfy.dll
+UUID    : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
+Bindings:
+          ncalrpc:[LRPC-78c65697da0c3cb9e7]
+          ncalrpc:[LRPC-5d1d91fbc9832f3673]
+          ncalrpc:[IUserProfile2]
+          ncalrpc:[LRPC-7f9f9d7e564fa27a15]
+          ncalrpc:[senssvc]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+          ncalrpc:[LRPC-2d7a6fcd1e6a5d90b0]
+          ncalrpc:[OLE59700168EED37EDF88950A0917DC]
+
+Protocol: N/A
+Provider: nsisvc.dll
+UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
+Bindings:
+          ncalrpc:[LRPC-9ec11ee764d799175d]
+
+Protocol: N/A
+Provider: nrpsrv.dll
+UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
+Bindings:
+          ncalrpc:[LRPC-99bbae991f0f6e961a]
+
+Protocol: N/A
+Provider: N/A
+UUID    : E40F7B57-7A25-4CD3-A135-7F7D3DF9D16B v1.0 Network Connection Broker server endpoint
+Bindings:
+          ncalrpc:[LRPC-95313533ddc887d499]
+          ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4]
+          ncalrpc:[LRPC-4f7c4b35ddfa33800c]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 880FD55E-43B9-11E0-B1A8-CF4EDFD72085 v1.0 KAPI Service endpoint
+Bindings:
+          ncalrpc:[LRPC-95313533ddc887d499]
+          ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4]
+          ncalrpc:[LRPC-4f7c4b35ddfa33800c]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 5222821F-D5E2-4885-84F1-5F6185A0EC41 v1.0 Network Connection Broker server endpoint for NCB Reset module
+Bindings:
+          ncalrpc:[LRPC-4f7c4b35ddfa33800c]
+          ncalrpc:[LRPC-9e83194e1e5674c55f]
+
+Protocol: N/A
+Provider: N/A
+UUID    : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0
+Bindings:
+          ncalrpc:[LRPC-7d4055d4f64c73ef42]
+          ncalrpc:[LRPC-a91e72435259adddfa]
+
+Protocol: N/A
+Provider: dhcpcsvc.dll
+UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
+Bindings:
+          ncalrpc:[dhcpcsvc]
+          ncalrpc:[dhcpcsvc6]
+
+Protocol: N/A
+Provider: dhcpcsvc6.dll
+UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
+Bindings:
+          ncalrpc:[dhcpcsvc6]
+
+Protocol: [MS-EVEN6]: EventLog Remoting Protocol
+Provider: wevtsvc.dll
+UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49665]
+          ncacn_np:\\DC[\pipe\eventlog]
+          ncalrpc:[eventlog]
+
+Protocol: N/A
+Provider: gpsvc.dll
+UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
+Bindings:
+          ncalrpc:[LRPC-1e815b36ff28d761c1]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49666]
+          ncalrpc:[LRPC-3e1dbf52587c9cea33]
+          ncalrpc:[ubpmtaskhostchannel]
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
+Provider: schedsvc.dll
+UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49666]
+          ncalrpc:[LRPC-3e1dbf52587c9cea33]
+          ncalrpc:[ubpmtaskhostchannel]
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0
+Bindings:
+          ncalrpc:[LRPC-3e1dbf52587c9cea33]
+          ncalrpc:[ubpmtaskhostchannel]
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
+Provider: taskcomp.dll
+UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0
+Bindings:
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
+Provider: taskcomp.dll
+UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
+Bindings:
+          ncacn_np:\\DC[\PIPE\atsvc]
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: N/A
+Provider: schedsvc.dll
+UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0
+Bindings:
+          ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
+
+Protocol: N/A
+Provider: MPSSVC.dll
+UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
+Bindings:
+          ncalrpc:[LRPC-a3db541015ee3b4092]
+          ncalrpc:[LRPC-25295713f276d13d17]
+          ncalrpc:[LRPC-61500542b0c0f189c2]
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
+Bindings:
+          ncalrpc:[LRPC-25295713f276d13d17]
+          ncalrpc:[LRPC-61500542b0c0f189c2]
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: MPSSVC.dll
+UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
+Bindings:
+          ncalrpc:[LRPC-61500542b0c0f189c2]
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: BFE.DLL
+UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
+Bindings:
+          ncalrpc:[LRPC-3a5ad18195f7896668]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
+Bindings:
+          ncacn_np:\\DC[\PIPE\wkssvc]
+          ncalrpc:[LRPC-0a9c64a79e96914cf8]
+
+Protocol: N/A
+Provider: N/A
+UUID    : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
+Bindings:
+          ncalrpc:[LRPC-0a9c64a79e96914cf8]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
+Bindings:
+          ncalrpc:[LRPC-0a9c64a79e96914cf8]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0
+Bindings:
+          ncalrpc:[LRPC-eeed9c661ca2875f9a]
+          ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
+Bindings:
+          ncalrpc:[OLE5FCB0823110EF79154A84BC1C955]
+          ncalrpc:[TeredoControl]
+          ncalrpc:[TeredoDiagnostics]
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: N/A
+UUID    : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
+Bindings:
+          ncalrpc:[TeredoControl]
+          ncalrpc:[TeredoDiagnostics]
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
+Bindings:
+          ncalrpc:[TeredoControl]
+          ncalrpc:[TeredoDiagnostics]
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: iphlpsvc.dll
+UUID    : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
+Bindings:
+          ncalrpc:[LRPC-2b9dd75a050dd32327]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
+Bindings:
+          ncalrpc:[LRPC-0f23b80e8c8e8083c8]
+          ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
+Bindings:
+          ncalrpc:[LRPC-0f23b80e8c8e8083c8]
+          ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: N/A
+Provider: N/A
+UUID    : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-NRPC]: Netlogon Remote Protocol
+Provider: netlogon.dll
+UUID    : 12345678-1234-ABCD-EF00-01234567CFFB v1.0
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-RAA]: Remote Authorization API Protocol
+Provider: N/A
+UUID    : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck
+Bindings:
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+          ncalrpc:[NETLOGON_LRPC]
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote
+Provider: lsasrv.dll
+UUID    : 12345778-1234-ABCD-EF00-0123456789AB v0.0
+Bindings:
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol
+Provider: ntdsai.dll
+UUID    : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
+Bindings:
+          ncacn_np:\\DC[\pipe\f646315b4c642943]
+          ncacn_http:10.129.243.131[49674]
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol
+Provider: samsrv.dll
+UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49673]
+          ncalrpc:[NTDS_LPC]
+          ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
+          ncacn_ip_tcp:10.129.243.131[49667]
+          ncalrpc:[samss lpc]
+          ncalrpc:[SidKey Local End Point]
+          ncalrpc:[protected_storage]
+          ncalrpc:[lsasspirpc]
+          ncalrpc:[lsapolicylookup]
+          ncalrpc:[LSA_EAS_ENDPOINT]
+          ncalrpc:[lsacap]
+          ncalrpc:[LSARPC_ENDPOINT]
+          ncalrpc:[securityevent]
+          ncalrpc:[audit]
+          ncacn_np:\\DC[\pipe\lsass]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
+Bindings:
+          ncalrpc:[LRPC-f4293e3b5b9ae5cb28]
+
+Protocol: N/A
+Provider: srvsvc.dll
+UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
+Bindings:
+          ncalrpc:[LRPC-f4293e3b5b9ae5cb28]
+
+Protocol: N/A
+Provider: sysmain.dll
+UUID    : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0
+Bindings:
+          ncalrpc:[LRPC-6ba6be7619ad5499b5]
+
+Protocol: N/A
+Provider: N/A
+UUID    : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
+Bindings:
+          ncalrpc:[LRPC-e9c9cb51676dd7958e]
+
+Protocol: N/A
+Provider: IKEEXT.DLL
+UUID    : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
+Bindings:
+          ncalrpc:[LRPC-a6cbf0f8554ac2dd0e]
+
+Protocol: N/A
+Provider: N/A
+UUID    : 650A7E26-EAB8-5533-CE43-9C1DFCE11511 v1.0 Vpn APIs
+Bindings:
+          ncalrpc:[LRPC-78511121f1275f430c]
+          ncalrpc:[VpnikeRpc]
+          ncalrpc:[RasmanLrpc]
+          ncacn_np:\\DC[\PIPE\ROUTER]
+
+Protocol: [MS-SCMR]: Service Control Manager Remote Protocol
+Provider: services.exe
+UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49678]
+
+Protocol: [MS-CMPO]: MSDTC Connection Manager:
+Provider: msdtcprx.dll
+UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0
+Bindings:
+          ncalrpc:[LRPC-3bcaafee1590c0de20]
+          ncalrpc:[OLE17B51056E4D45A611212712C1451]
+          ncalrpc:[LRPC-9c5b8ea96b2f264739]
+          ncalrpc:[LRPC-9c5b8ea96b2f264739]
+          ncalrpc:[LRPC-9c5b8ea96b2f264739]
+
+Protocol: N/A
+Provider: N/A
+UUID    : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0
+Bindings:
+          ncalrpc:[LRPC-802031e034c1f025bd]
+
+Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management
+Provider: dns.exe
+UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49695]
+
+Protocol: [MS-FRS2]: Distributed File System Replication Protocol
+Provider: dfsrmig.exe
+UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
+Bindings:
+          ncacn_ip_tcp:10.129.243.131[49843]
+          ncalrpc:[OLECF74F747061ABA28294F2BDC6FF0]
+
+Protocol: N/A
+Provider: N/A
+UUID    : BF4DC912-E52F-4904-8EBE-9317C1BDD497 v1.0
+Bindings:
+          ncalrpc:[LRPC-92939372b55364a6c8]
+          ncalrpc:[OLE9D9AB6AB4D22AD38C10DD1548060]
+
+[*] Received 405 endpoints.
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp5985/tcp_5985_winrm-detection.txt

@@ -0,0 +1,2 @@
+WinRM was possibly detected running on tcp port 5985.
+Check _manual_commands.txt for manual commands you can run against this service.

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html

@@ -0,0 +1,50 @@
+HTTP/1.1 200 OK
+Content-Type: text/html
+Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT
+Accept-Ranges: bytes
+ETag: "0eaf6d7c895d71:0"
+Server: Microsoft-IIS/10.0
+Date: Sat, 28 Oct 2023 13:05:55 GMT
+Content-Length: 1034
+
+<!DOCTYPE html>
+<html lang="en" >
+<head>
+  <meta charset="UTF-8">
+  <title>Slandovia Energy</title>
+  <link rel='stylesheet' href='https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css'><link rel="stylesheet" href="./style.css">
+<script src="https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js"></script>
+
+</head>
+<body>
+<!-- partial:index.partial.html -->
+<link href='https://fonts.googleapis.com/css?family=Open+Sans|Maven+Pro:500' rel='stylesheet' type='text/css'>
+<div class="deco topdeco">
+  <span></span>
+  <span></span>
+  <span></span>
+  <span></span>
+  </div>
+
+  <h1>MegaCorp</h1>
+  <h3>
+    Slandovia Energy Grid
+  </h3>
+
+ <section class="list-wrap">
+
+   <label for="search-text">Check Status</label>
+  <input type="text" id="search-text" placeholder="search" class="search-box">
+    <span class="list-count"></span>
+
+
+<ul id="list">
+  <span class="empty-item">no results</span>
+</ul>
+   </section>
+
+<!-- partial -->
+<script  src="./script.js"></script>
+
+</body>
+</html>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt

@@ -0,0 +1,21 @@
+200      GET       25l       72w      692c http://10.129.243.131/script.js
+200      GET      215l      294w     3166c http://10.129.243.131/style.css
+200      GET       41l       66w     1034c http://10.129.243.131/
+200      GET       41l       66w     1034c http://10.129.243.131/Index.html
+200      GET        8l      168w     1092c http://10.129.243.131/LICENSE.txt
+200      GET        1l       14w      116c http://10.129.243.131/Search.php
+200      GET       41l       66w     1034c http://10.129.243.131/index.html
+200      GET        8l      168w     1092c http://10.129.243.131/license.txt
+200      GET        1l       14w      116c http://10.129.243.131/search.php
+200      GET       25l       72w      692c http://10.129.243.131/script.js
+200      GET      215l      294w     3166c http://10.129.243.131/style.css
+200      GET       41l       66w     1034c http://10.129.243.131/
+200      GET       41l       66w     1034c http://10.129.243.131/Index.html
+200      GET        8l      168w     1092c http://10.129.243.131/LICENSE.txt
+200      GET        1l       14w      116c http://10.129.243.131/Search.php
+200      GET       41l       66w     1034c http://10.129.243.131/index.html
+200      GET        8l      168w     1092c http://10.129.243.131/license.txt
+200      GET        1l       14w      116c http://10.129.243.131/search.php
+200      GET        8l      168w     1092c http://10.129.243.131/License.txt
+200      GET        1l       14w      116c http://10.129.243.131/SEARCH.php
+200      GET       41l       66w     1034c http://10.129.243.131/INDEX.html

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt

@@ -0,0 +1,106 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.033s latency).
+Scanned at 2023-10-28 14:27:58 CEST for 128s
+
+Bug in http-security-headers: no string output.
+PORT   STATE SERVICE REASON          VERSION
+80/tcp open  http    syn-ack ttl 127 Microsoft IIS httpd 10.0
+| http-headers: 
+|   Content-Length: 1034
+|   Content-Type: text/html
+|   Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT
+|   Accept-Ranges: bytes
+|   ETag: "0eaf6d7c895d71:0"
+|   Server: Microsoft-IIS/10.0
+|   Date: Sat, 28 Oct 2023 13:05:55 GMT
+|   Connection: close
+|   
+|_  (Request type: HEAD)
+|_http-config-backup: ERROR: Script execution failed (use -d to debug)
+|_http-server-header: Microsoft-IIS/10.0
+|_http-wordpress-enum: Nothing found amongst the top 100 resources,use --script-args search-limit=<number|all> for deeper analysis)
+|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
+| http-php-version: Logo query returned unknown hash a38e7a4db6688b811d52e1eab13a9b5c
+|_Credits query returned unknown hash a38e7a4db6688b811d52e1eab13a9b5c
+| http-methods: 
+|   Supported Methods: OPTIONS TRACE GET HEAD POST
+|_  Potentially risky methods: TRACE
+|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
+| http-comments-displayer: 
+| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=megacorp.htb
+|     
+|     Path: http://megacorp.htb:80/style.css
+|     Line number: 117
+|     Comment: 
+|         /*
+|         The following are styles purely for the surroundings
+|         */
+|     
+|     Path: http://megacorp.htb:80/
+|     Line number: 11
+|     Comment: 
+|         <!-- partial:index.partial.html -->
+|     
+|     Path: http://megacorp.htb:80/
+|     Line number: 37
+|     Comment: 
+|         <!-- partial -->
+|     
+|     Path: http://megacorp.htb:80/style.css
+|     Line number: 1
+|     Comment: 
+|_        /* this declares a better box model */
+|_http-fetch: Please enter the complete path of the directory to save data in.
+|_http-errors: Couldn't find any error pages.
+|_http-mobileversion-checker: No mobile version detected.
+| http-vhosts: 
+|_128 names had status 200
+|_http-dombased-xss: Couldn't find any DOM based XSS.
+|_http-jsonp-detection: Couldn't find any JSONP endpoints.
+| http-sitemap-generator: 
+|   Directory structure:
+|     /
+|       Other: 1; css: 1; js: 1
+|   Longest directory structure:
+|     Depth: 0
+|     Dir: /
+|   Total files found (by extension):
+|_    Other: 1; css: 1; js: 1
+| http-useragent-tester: 
+|   Status for browser useragent: 200
+|   Allowed User Agents: 
+|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
+|     libwww
+|     lwp-trivial
+|     libcurl-agent/1.0
+|     PHP/
+|     Python-urllib/2.5
+|     GT::WWW
+|     Snoopy
+|     MFC_Tear_Sample
+|     HTTP::Lite
+|     PHPCrawl
+|     URI::Fetch
+|     Zend_Http_Client
+|     http client
+|     PECL::HTTP
+|     Wget/1.13.4 (linux-gnu)
+|_    WWW-Mechanize/1.34
+|_http-drupal-enum: Nothing found amongst the top 100 resources,use --script-args number=<number|all> for deeper analysis)
+|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
+| http-referer-checker: 
+| Spidering limited to: maxpagecount=30
+|_  https://cdnjs.cloudflare.com:443/ajax/libs/prefixfree/1.0.7/prefixfree.min.js
+|_http-feed: Couldn't find any feeds.
+|_http-csrf: Couldn't find any CSRF vulnerabilities.
+|_http-chrono: Request times for /; avg: 159.55ms; min: 156.41ms; max: 162.52ms
+|_http-date: Sat, 28 Oct 2023 13:05:55 GMT; +37m49s from local time.
+|_http-title: Slandovia Energy
+|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
+|_http-malware-host: Host appears to be clean
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:30:06 2023 -- 1 IP address (1 host up) scanned in 133.76 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt

@@ -0,0 +1,46 @@
+WhatWeb report for http://10.129.243.131:80
+Status    : 200 OK
+Title     : Slandovia Energy
+IP        : 10.129.243.131
+Country   : RESERVED, ZZ
+
+Summary   : HTML5, HTTPServer[Microsoft-IIS/10.0], Microsoft-IIS[10.0], Script
+
+Detected Plugins:
+[ HTML5 ]
+	HTML version 5, detected by the doctype declaration
+
+
+[ HTTPServer ]
+	HTTP server header string. This plugin also attempts to
+	identify the operating system from the server header.
+
+	String       : Microsoft-IIS/10.0 (from server string)
+
+[ Microsoft-IIS ]
+	Microsoft Internet Information Services (IIS) for Windows
+	Server is a flexible, secure and easy-to-manage Web server
+	for hosting anything on the Web. From media streaming to
+	web application hosting, IIS's scalable and open
+	architecture is ready to handle the most demanding tasks.
+
+	Version      : 10.0
+	Website     : http://www.iis.net/
+
+[ Script ]
+	This plugin detects instances of script HTML elements and
+	returns the script language/type.
+
+
+HTTP Headers:
+	HTTP/1.1 200 OK
+	Content-Type: text/html
+	Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT
+	Accept-Ranges: bytes
+	ETag: "0eaf6d7c895d71:0"
+	Server: Microsoft-IIS/10.0
+	Date: Sat, 28 Oct 2023 13:05:55 GMT
+	Connection: close
+	Content-Length: 1034
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 80 &quot;-&#45;script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)&quot; -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="80"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="NSE" time="1698496077"/>
+<taskend task="NSE" time="1698496077"/>
+<taskbegin task="SYN Stealth Scan" time="1698496077"/>
+<taskend task="SYN Stealth Scan" time="1698496078" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698496078"/>
+<taskend task="Service scan" time="1698496084" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698496084"/>
+<taskprogress task="NSE" time="1698496115" percent="99.67" remaining="1" etc="1698496115"/>
+<taskprogress task="NSE" time="1698496145" percent="99.67" remaining="1" etc="1698496145"/>
+<taskprogress task="NSE" time="1698496175" percent="99.67" remaining="1" etc="1698496175"/>
+<taskprogress task="NSE" time="1698496205" percent="99.67" remaining="1" etc="1698496205"/>
+<taskend task="NSE" time="1698496206"/>
+<taskbegin task="NSE" time="1698496206"/>
+<taskend task="NSE" time="1698496206"/>
+<taskbegin task="NSE" time="1698496206"/>
+<taskend task="NSE" time="1698496206"/>
+<host starttime="1698496078" endtime="1698496206"><status state="up" reason="user-set" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="http" product="Microsoft IIS httpd" version="10.0" ostype="Windows" method="probed" conf="10"><cpe>cpe:/a:microsoft:internet_information_services:10.0</cpe><cpe>cpe:/o:microsoft:windows</cpe></service><script id="http-headers" output="&#xa;  Content-Length: 1034&#xa;  Content-Type: text/html&#xa;  Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT&#xa;  Accept-Ranges: bytes&#xa;  ETag: &quot;0eaf6d7c895d71:0&quot;&#xa;  Server: Microsoft-IIS/10.0&#xa;  Date: Sat, 28 Oct 2023 13:05:55 GMT&#xa;  Connection: close&#xa;  &#xa;  (Request type: HEAD)&#xa;"/><script id="http-config-backup" output="ERROR: Script execution failed (use -d to debug)"/><script id="http-server-header" output="Microsoft-IIS/10.0"><elem>Microsoft-IIS/10.0</elem>
+</script><script id="http-wordpress-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args search-limit=&lt;number|all&gt; for deeper analysis)"/><script id="http-stored-xss" output="Couldn&apos;t find any stored XSS vulnerabilities."/><script id="http-php-version" output="Logo query returned unknown hash a38e7a4db6688b811d52e1eab13a9b5c&#xa;Credits query returned unknown hash a38e7a4db6688b811d52e1eab13a9b5c"/><script id="http-methods" output="&#xa;  Supported Methods: OPTIONS TRACE GET HEAD POST&#xa;  Potentially risky methods: TRACE"><table key="Supported Methods">
+<elem>OPTIONS</elem>
+<elem>TRACE</elem>
+<elem>GET</elem>
+<elem>HEAD</elem>
+<elem>POST</elem>
+</table>
+<table key="Potentially risky methods">
+<elem>TRACE</elem>
+</table>
+</script><script id="http-litespeed-sourcecode-download" output="Request with null byte did not work. This web server might not be vulnerable"/><script id="http-comments-displayer" output="&#xa;Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=megacorp.htb&#xa;    &#xa;    Path: http://megacorp.htb:80/style.css&#xa;    Line number: 117&#xa;    Comment: &#xa;        /*&#xa;        The following are styles purely for the surroundings&#xa;        */&#xa;    &#xa;    Path: http://megacorp.htb:80/&#xa;    Line number: 11&#xa;    Comment: &#xa;        &lt;!-&#45; partial:index.partial.html -&#45;&gt;&#xa;    &#xa;    Path: http://megacorp.htb:80/&#xa;    Line number: 37&#xa;    Comment: &#xa;        &lt;!-&#45; partial -&#45;&gt;&#xa;    &#xa;    Path: http://megacorp.htb:80/style.css&#xa;    Line number: 1&#xa;    Comment: &#xa;        /* this declares a better box model */&#xa;"/><script id="http-fetch" output="Please enter the complete path of the directory to save data in."><elem key="ERROR">Please enter the complete path of the directory to save data in.</elem>
+</script><script id="http-errors" output="Couldn&apos;t find any error pages."/><script id="http-mobileversion-checker" output="No mobile version detected."/><script id="http-vhosts" output="&#xa;128 names had status 200"/><script id="http-dombased-xss" output="Couldn&apos;t find any DOM based XSS."/><script id="http-jsonp-detection" output="Couldn&apos;t find any JSONP endpoints."/><script id="http-sitemap-generator" output="&#xa;  Directory structure:&#xa;    /&#xa;      Other: 1; css: 1; js: 1&#xa;  Longest directory structure:&#xa;    Depth: 0&#xa;    Dir: /&#xa;  Total files found (by extension):&#xa;    Other: 1; css: 1; js: 1&#xa;"/><script id="http-useragent-tester" output="&#xa;  Status for browser useragent: 200&#xa;  Allowed User Agents: &#xa;    Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)&#xa;    libwww&#xa;    lwp-trivial&#xa;    libcurl-agent/1.0&#xa;    PHP/&#xa;    Python-urllib/2.5&#xa;    GT::WWW&#xa;    Snoopy&#xa;    MFC_Tear_Sample&#xa;    HTTP::Lite&#xa;    PHPCrawl&#xa;    URI::Fetch&#xa;    Zend_Http_Client&#xa;    http client&#xa;    PECL::HTTP&#xa;    Wget/1.13.4 (linux-gnu)&#xa;    WWW-Mechanize/1.34"><elem key="Status for browser useragent">200</elem>
+<table key="Allowed User Agents">
+<elem>Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)</elem>
+<elem>libwww</elem>
+<elem>lwp-trivial</elem>
+<elem>libcurl-agent/1.0</elem>
+<elem>PHP/</elem>
+<elem>Python-urllib/2.5</elem>
+<elem>GT::WWW</elem>
+<elem>Snoopy</elem>
+<elem>MFC_Tear_Sample</elem>
+<elem>HTTP::Lite</elem>
+<elem>PHPCrawl</elem>
+<elem>URI::Fetch</elem>
+<elem>Zend_Http_Client</elem>
+<elem>http client</elem>
+<elem>PECL::HTTP</elem>
+<elem>Wget/1.13.4 (linux-gnu)</elem>
+<elem>WWW-Mechanize/1.34</elem>
+</table>
+</script><script id="http-drupal-enum" output="Nothing found amongst the top 100 resources,use -&#45;script-args number=&lt;number|all&gt; for deeper analysis)"/><script id="http-devframework" output="Couldn&apos;t determine the underlying framework or CMS. Try increasing &apos;httpspider.maxpagecount&apos; value to spider more pages."/><script id="http-referer-checker" output="&#xa;Spidering limited to: maxpagecount=30&#xa;  https://cdnjs.cloudflare.com:443/ajax/libs/prefixfree/1.0.7/prefixfree.min.js&#xa;"/><script id="http-feed" output="Couldn&apos;t find any feeds."/><script id="http-csrf" output="Couldn&apos;t find any CSRF vulnerabilities."/><script id="http-chrono" output="Request times for /; avg: 159.55ms; min: 156.41ms; max: 162.52ms"/><script id="http-security-headers" output=""></script><script id="http-date" output="Sat, 28 Oct 2023 13:05:55 GMT; +37m49s from local time."><elem key="date">2023-10-28T13:05:55+00:00</elem>
+<elem key="delta">2269.0</elem>
+</script><script id="http-title" output="Slandovia Energy"><elem key="title">Slandovia Energy</elem>
+</script><script id="http-wordpress-users" output="[Error] Wordpress installation was not found. We couldn&apos;t find wp-login.php"/><script id="http-malware-host" output="Host appears to be clean"/></port>
+</ports>
+<times srtt="32870" rttvar="32870" to="164350"/>
+</host>
+<taskbegin task="NSE" time="1698496206"/>
+<taskend task="NSE" time="1698496206"/>
+<taskbegin task="NSE" time="1698496206"/>
+<taskend task="NSE" time="1698496206"/>
+<taskbegin task="NSE" time="1698496206"/>
+<taskend task="NSE" time="1698496206"/>
+<runstats><finished time="1698496206" timestr="Sat Oct 28 14:30:06 2023" summary="Nmap done at Sat Oct 28 14:30:06 2023; 1 IP address (1 host up) scanned in 133.76 seconds" elapsed="133.76" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt

@@ -0,0 +1,12 @@
+# Nmap 7.93 scan initiated Sat Oct 28 15:03:54 2023 as: nmap -vv --reason -T4 -sV -p 88 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received echo-reply ttl 127 (0.063s latency).
+Scanned at 2023-10-28 15:03:54 CEST for 17s
+
+PORT   STATE SERVICE      REASON          VERSION
+88/tcp open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 13:04:01Z)
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 15:04:11 2023 -- 1 IP address (1 host up) scanned in 17.28 seconds

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.93 scan initiated Sat Oct 28 15:03:54 2023 as: nmap -vv -&#45;reason -T4 -sV -p 88 -&#45;script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131 -->
+<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -T4 -sV -p 88 -&#45;script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131" start="1698498234" startstr="Sat Oct 28 15:03:54 2023" version="7.93" xmloutputversion="1.05">
+<scaninfo type="syn" protocol="tcp" numservices="1" services="88"/>
+<verbose level="2"/>
+<debugging level="0"/>
+<taskbegin task="NSE" time="1698498234"/>
+<taskend task="NSE" time="1698498234"/>
+<taskbegin task="NSE" time="1698498234"/>
+<taskend task="NSE" time="1698498234"/>
+<taskbegin task="Ping Scan" time="1698498234"/>
+<hosthint><status state="up" reason="unknown-response" reason_ttl="0"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+</hostnames>
+</hosthint>
+<taskend task="Ping Scan" time="1698498234" extrainfo="1 total hosts"/>
+<taskbegin task="SYN Stealth Scan" time="1698498234"/>
+<taskend task="SYN Stealth Scan" time="1698498234" extrainfo="1 total ports"/>
+<taskbegin task="Service scan" time="1698498234"/>
+<taskend task="Service scan" time="1698498241" extrainfo="1 service on 1 host"/>
+<taskbegin task="NSE" time="1698498241"/>
+<taskend task="NSE" time="1698498251"/>
+<taskbegin task="NSE" time="1698498251"/>
+<taskend task="NSE" time="1698498251"/>
+<host starttime="1698498234" endtime="1698498251"><status state="up" reason="echo-reply" reason_ttl="127"/>
+<address addr="10.129.243.131" addrtype="ipv4"/>
+<hostnames>
+<hostname name="megacorp.htb" type="PTR"/>
+</hostnames>
+<ports><port protocol="tcp" portid="88"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="kerberos-sec" product="Microsoft Windows Kerberos" extrainfo="server time: 2023-10-28 13:04:01Z" ostype="Windows" method="probed" conf="10"><cpe>cpe:/a:microsoft:kerberos</cpe><cpe>cpe:/o:microsoft:windows</cpe></service></port>
+</ports>
+<times srtt="63304" rttvar="49640" to="261864"/>
+</host>
+<taskbegin task="NSE" time="1698498251"/>
+<taskend task="NSE" time="1698498251"/>
+<taskbegin task="NSE" time="1698498251"/>
+<taskend task="NSE" time="1698498251"/>
+<runstats><finished time="1698498251" timestr="Sat Oct 28 15:04:11 2023" summary="Nmap done at Sat Oct 28 15:04:11 2023; 1 IP address (1 host up) scanned in 17.28 seconds" elapsed="17.28" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt

@@ -0,0 +1,13 @@
+# Nmap 7.93 scan initiated Sat Oct 28 14:53:13 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 123 "--script=banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.061s latency).
+Scanned at 2023-10-28 14:53:15 CEST for 10s
+
+PORT    STATE SERVICE REASON               VERSION
+123/udp open  ntp     udp-response ttl 127 NTP v3
+| ntp-info: 
+|_  receive time stamp: 2023-10-28T12:53:27
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:53:25 2023 -- 1 IP address (1 host up) scanned in 11.83 seconds