laokoon

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/notes.txt

@@ -0,0 +1,244 @@
+[*] domain found on tcp/53.
+
+
+
+[*] http found on tcp/80.
+
+
+
+[*] kerberos-sec found on tcp/88.
+
+
+
+[*] msrpc found on tcp/135.
+
+
+
+[*] netbios-ssn found on tcp/139.
+
+
+
+[*] ldap found on tcp/389.
+
+
+
+[*] microsoft-ds found on tcp/445.
+
+
+
+[*] kpasswd5 found on tcp/464.
+
+
+
+[*] ncacn_http found on tcp/593.
+
+
+
+[*] tcpwrapped found on tcp/636.
+
+
+
+[*] ldap found on tcp/3268.
+
+
+
+[*] tcpwrapped found on tcp/3269.
+
+
+
+[*] wsman found on tcp/5985.
+
+
+
+[*] mc-nmf found on tcp/9389.
+
+
+
+[*] msrpc found on tcp/49667.
+
+
+
+[*] msrpc found on tcp/49673.
+
+
+
+[*] ncacn_http found on tcp/49674.
+
+
+
+[*] msrpc found on tcp/49695.
+
+
+
+[*] msrpc found on tcp/49843.
+
+
+
+[*] domain found on tcp/53.
+
+
+
+[*] http found on tcp/80.
+
+
+
+[*] kerberos-sec found on tcp/88.
+
+
+
+[*] msrpc found on tcp/135.
+
+
+
+[*] netbios-ssn found on tcp/139.
+
+
+
+[*] ldap found on tcp/389.
+
+
+
+[*] microsoft-ds found on tcp/445.
+
+
+
+[*] kpasswd5 found on tcp/464.
+
+
+
+[*] ncacn_http found on tcp/593.
+
+
+
+[*] tcpwrapped found on tcp/636.
+
+
+
+[*] ldap found on tcp/3268.
+
+
+
+[*] tcpwrapped found on tcp/3269.
+
+
+
+[*] wsman found on tcp/5985.
+
+
+
+[*] mc-nmf found on tcp/9389.
+
+
+
+[*] unknown found on tcp/49667.
+
+
+
+[*] unknown found on tcp/49673.
+
+
+
+[*] ncacn_http found on tcp/49674.
+
+
+
+[*] unknown found on tcp/49695.
+
+
+
+[*] unknown found on tcp/49843.
+
+
+
+[*] domain found on udp/53.
+
+
+
+[*] ntp found on udp/123.
+
+
+
+[*] domain found on tcp/53.
+
+
+
+[*] http found on tcp/80.
+
+
+
+[*] kerberos-sec found on tcp/88.
+
+
+
+[*] msrpc found on tcp/135.
+
+
+
+[*] netbios-ssn found on tcp/139.
+
+
+
+[*] ldap found on tcp/389.
+
+
+
+[*] microsoft-ds found on tcp/445.
+
+
+
+[*] kpasswd5 found on tcp/464.
+
+
+
+[*] ncacn_http found on tcp/593.
+
+
+
+[*] tcpwrapped found on tcp/636.
+
+
+
+[*] ldap found on tcp/3268.
+
+
+
+[*] tcpwrapped found on tcp/3269.
+
+
+
+[*] wsman found on tcp/5985.
+
+
+
+[*] mc-nmf found on tcp/9389.
+
+
+
+[*] msrpc found on tcp/49667.
+
+
+
+[*] ncacn_http found on tcp/49674.
+
+
+
+[*] msrpc found on tcp/49695.
+
+
+
+[*] msrpc found on tcp/49843.
+
+
+
+[*] domain found on udp/53.
+
+
+
+[*] kerberos-sec found on udp/88.
+
+
+
+[*] ntp found on udp/123.
+
+
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Commands.md

@@ -0,0 +1,177 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+
+curl -sSikf http://10.129.243.131:80/robots.txt
+
+curl -sSik http://10.129.243.131:80/
+
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+
+impacket-getArch -target 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 135 10.129.243.131
+
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+
+nbtscan -rvh 10.129.243.131 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+
+smbmap -H 10.129.243.131 -P 139 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+
+smbmap -H 10.129.243.131 -P 445 2>&1
+
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+
+impacket-rpcdump -port 593 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+
+dig AXFR -p 53 @10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
+
+nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Errors.md

@@ -0,0 +1,56 @@
+```
+[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
+[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
+[-] Command: dig AXFR -p 53 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
+[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+[-] Error Output:
+QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
+Loading page (1/2)
+[>                                                           ] 0%
+[==============================>                             ] 50%
+[==============================>                             ] 50%
+Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore)
+Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found
+Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found
+libva info: VA-API version 1.17.0
+libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
+libva info: Found init function __vaDriverInit_1_17
+libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
+libva info: va_openDriver() returns 1
+libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
+libva info: Found init function __vaDriverInit_1_8
+libva info: va_openDriver() returns 0
+[============================================================] 100%
+Rendering (2/2)
+[>                                                           ] 0%
+[===============>                                            ] 25%
+[============================================================] 100%
+Done
+Exit with code 1 due to network error: HostNotFoundError
+
+
+[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1).
+[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+[-] Error Output:
+
+
+[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
+[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
+[-] Error Output:
+
+
+[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
+[-] Command: dig AXFR -p 53 @10.129.243.131
+[-] Error Output:
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Manual Commands.md

@@ -0,0 +1,221 @@
+```bash
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] msrpc on tcp/49667
+
+	[-] RPC Client:
+
+		rpcclient -p 49667 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49673
+
+	[-] RPC Client:
+
+		rpcclient -p 49673 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49695
+
+	[-] RPC Client:
+
+		rpcclient -p 49695 -U "" 10.129.243.131
+
+[*] msrpc on tcp/49843
+
+	[-] RPC Client:
+
+		rpcclient -p 49843 -U "" 10.129.243.131
+
+[*] domain on tcp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
+
+[*] http on tcp/80
+
+	[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
+
+		feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
+
+	[-] Credential bruteforcing commands (don't run these without modifying them):
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
+
+		hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
+
+		medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
+
+	[-] (nikto) old but generally reliable web server enumeration tool:
+
+		nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
+
+	[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
+
+		wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
+
+[*] msrpc on tcp/135
+
+	[-] RPC Client:
+
+		rpcclient -p 135 -U "" 10.129.243.131
+
+[*] netbios-ssn on tcp/139
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/389
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
+
+[*] microsoft-ds on tcp/445
+
+	[-] Bruteforce SMB
+
+		crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
+
+	[-] Lookup SIDs
+
+		impacket-lookupsid '[username]:[password]@10.129.243.131'
+
+	[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
+
+		nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
+
+[*] ldap on tcp/3268
+
+	[-] ldapsearch command (modify before running):
+
+		ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
+
+[*] wsman on tcp/5985
+
+	[-] Bruteforce logins:
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
+
+	[-] Check login (requires credentials):
+
+		crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
+
+	[-] Evil WinRM (gem install evil-winrm):
+
+		evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
+
+		evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
+
+[*] domain on udp/53
+
+	[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
+
+	[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
+
+		dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Patterns.md

@@ -0,0 +1,4 @@
+Identified Architecture: 64-bit
+
+Identified HTTP Server: Microsoft-IIS/10.0
+

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - All TCP Ports.md

@@ -0,0 +1,82 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131
+adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds.  Ignoring time.
+adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds.  Ignoring time.
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.046s latency).
+Scanned at 2023-10-28 13:45:20 CEST for 873s
+Not shown: 65516 filtered tcp ports (no-response)
+PORT      STATE SERVICE       REASON          VERSION
+53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
+80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
+|_http-server-header: Microsoft-IIS/10.0
+| http-methods: 
+|_  Supported Methods: GET HEAD OPTIONS
+|_http-title: Slandovia Energy
+88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:58:41Z)
+135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
+389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+445/tcp   open  microsoft-ds? syn-ack ttl 127
+464/tcp   open  kpasswd5?     syn-ack ttl 127
+593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp   open  tcpwrapped    syn-ack ttl 127
+3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp  open  tcpwrapped    syn-ack ttl 127
+5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
+49667/tcp open  unknown       syn-ack ttl 127
+49673/tcp open  unknown       syn-ack ttl 127
+49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+49695/tcp open  unknown       syn-ack ttl 127
+49843/tcp open  unknown       syn-ack ttl 127
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+Device type: WAP|phone
+Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
+OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
+OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
+TCP/IP fingerprint:
+OS:SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%G=N%TM=653CF7B9%P=x86_64-pc-l
+OS:inux-gnu)ECN(R=N)T1(R=N)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=N)
+
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+|_clock-skew: 59m59s
+| p2p-conficker: 
+|   Checking for Conficker.C or higher...
+|   Check 1 (port 25314/tcp): CLEAN (Timeout)
+|   Check 2 (port 10793/tcp): CLEAN (Timeout)
+|   Check 3 (port 25536/udp): CLEAN (Timeout)
+|   Check 4 (port 25523/udp): CLEAN (Timeout)
+|_  0/4 checks are positive: Host is CLEAN or ports are blocked
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+| smb2-time: 
+|   date: 2023-10-28T12:59:18
+|_  start_date: N/A
+
+TRACEROUTE (using port 80/tcp)
+HOP RTT    ADDRESS
+1   ... 30
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:59:53 2023 -- 1 IP address (1 host up) scanned in 887.79 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top 100 UDP Ports.md

@@ -0,0 +1,51 @@
+```bash
+nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.093s latency).
+Scanned at 2023-10-28 13:45:07 CEST for 1811s
+Not shown: 98 open|filtered udp ports (no-response)
+PORT    STATE SERVICE REASON               VERSION
+53/udp  open  domain? udp-response ttl 127
+| fingerprint-strings: 
+|   DNS-SD: 
+|     _services
+|     _dns-sd
+|     _udp
+|_    local
+123/udp open  ntp?    script-set
+| ntp-info: 
+|_  receive time stamp: 2023-10-28T12:52:08
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CF493%P=x86_64-pc-linux-gnu%r(DNS
+SF:-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_udp\x0
+SF:5local\0\0\x0c\0\x01")%r(Citrix,1E,"\x1e\0\x81\x01\x02\xfd\xa8\xe3\0\0\
+SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
+Too many fingerprints match this host to give specific OS details
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=10%DC=T%G=N%TM=653CFB56%P=x86_64-pc-linux-gnu)
+SEQ(II=I)
+U1(R=N)
+IE(R=Y%DFI=N%TG=80%CD=Z)
+
+Network Distance: 10 hops
+
+Host script results:
+|_clock-skew: 1h00m07s
+
+TRACEROUTE (using port 53/udp)
+HOP RTT      ADDRESS
+1   36.79 ms 10.10.14.1
+2   ... 9
+10  35.90 ms 10.129.243.131
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:15:18 2023 -- 1 IP address (1 host up) scanned in 1812.34 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top TCP Ports.md

@@ -0,0 +1,81 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131
+Increasing send delay for 10.129.243.131 from 0 to 5 due to 11 out of 20 dropped probes since last increase.
+Nmap scan report for 10.129.243.131
+Host is up, received user-set (0.14s latency).
+Scanned at 2023-10-28 13:45:20 CEST for 264s
+Not shown: 988 filtered tcp ports (no-response)
+PORT     STATE SERVICE       REASON          VERSION
+53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
+80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
+|_http-title: Slandovia Energy
+| http-methods: 
+|   Supported Methods: OPTIONS TRACE GET HEAD POST
+|_  Potentially risky methods: TRACE
+88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:47:30Z)
+135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
+139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
+389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+445/tcp  open  microsoft-ds? syn-ack ttl 127
+464/tcp  open  kpasswd5?     syn-ack ttl 127
+593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp  open  tcpwrapped    syn-ack ttl 127
+3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
+3269/tcp open  tcpwrapped    syn-ack ttl 127
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+Device type: specialized
+Running (JUST GUESSING): AVtech embedded (87%)
+OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
+Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
+No exact OS matches for host (test conditions non-ideal).
+TCP/IP fingerprint:
+SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CF558%P=x86_64-pc-linux-gnu)
+SEQ(SP=103%GCD=1%ISR=109%TI=RD%TS=U)
+OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
+WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
+ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
+T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
+T2(R=N)
+T3(R=N)
+T4(R=N)
+U1(R=N)
+IE(R=Y%DFI=N%TG=80%CD=Z)
+IE(R=N)
+
+Network Distance: 2 hops
+TCP Sequence Prediction: Difficulty=258 (Good luck!)
+IP ID Sequence Generation: Randomized
+Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
+
+Host script results:
+| smb2-security-mode: 
+|   311: 
+|_    Message signing enabled and required
+|_clock-skew: 59m57s
+| smb2-time: 
+|   date: 2023-10-28T12:49:11
+|_  start_date: N/A
+| p2p-conficker: 
+|   Checking for Conficker.C or higher...
+|   Check 1 (port 25314/tcp): CLEAN (Timeout)
+|   Check 2 (port 10793/tcp): CLEAN (Timeout)
+|   Check 3 (port 25536/udp): CLEAN (Timeout)
+|   Check 4 (port 25523/udp): CLEAN (Timeout)
+|_  0/4 checks are positive: Host is CLEAN or ports are blocked
+
+TRACEROUTE (using port 135/tcp)
+HOP RTT       ADDRESS
+1   191.57 ms 10.10.14.1
+2   183.81 ms 10.129.243.131
+
+Read data files from: /usr/bin/../share/nmap
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:44 2023 -- 1 IP address (1 host up) scanned in 278.93 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/Nmap MSRPC.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 1s
+
+PORT    STATE    SERVICE REASON      VERSION
+135/tcp filtered msrpc   no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.66 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/get-arch.md

@@ -0,0 +1,15 @@
+```bash
+impacket-getArch -target 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt):
+
+```
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Gathering OS architecture for 1 machines
+[*] Socket connect timeout set to 2 secs
+[-] 10.129.243.131: Could not connect: timed out
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/rpcdump.md

@@ -0,0 +1,15 @@
+```bash
+impacket-rpcdump -port 135 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt):
+
+```
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Retrieving endpoint list from 10.129.243.131
+[-] Protocol failed: Could not connect: timed out
+[*] No endpoints found.
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Enum4Linux.md

@@ -0,0 +1,148 @@
+```bash
+enum4linux -a -M -l -d 10.129.243.131 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt):
+
+```
+Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 28 13:49:45 2023
+
+ =========================================( Target Information )=========================================
+
+Target ........... 10.129.243.131
+RID Range ........ 500-550,1000-1050
+Username ......... ''
+Password ......... ''
+Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
+
+
+ ===========================( Enumerating Workgroup/Domain on 10.129.243.131 )===========================
+
+
+[E] Can't find workgroup/domain
+
+
+
+ ===============================( Nbtstat Information for 10.129.243.131 )===============================
+
+Looking up status of 10.129.243.131
+No reply from 10.129.243.131
+
+ ==================================( Session Check on 10.129.243.131 )==================================
+
+
+[+] Server 10.129.243.131 allows sessions using username '', password ''
+
+
+ ==========================( Getting information via LDAP for 10.129.243.131 )==========================
+
+
+[+] 10.129.243.131 appears to be a child DC
+
+
+ ===============================( Getting domain SID for 10.129.243.131 )===============================
+
+Domain Name: MEGACORP
+Domain Sid: S-1-5-21-855300830-391258870-456067225
+
+[+] Host is part of a domain (not a workgroup)
+
+
+ ==================================( OS information on 10.129.243.131 )==================================
+
+
+[E] Can't get OS info with smbclient
+
+
+[+] Got OS info for 10.129.243.131 from srvinfo:
+do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
+
+
+ ======================================( Users on 10.129.243.131 )======================================
+
+
+[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
+
+
+
+[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
+
+
+ ===============================( Machine Enumeration on 10.129.243.131 )===============================
+
+
+[E] Not implemented in this version of enum4linux.
+
+
+ ================================( Share Enumeration on 10.129.243.131 )================================
+
+do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
+
+	Sharename       Type      Comment
+	---------       ----      -------
+Reconnecting with SMB1 for workgroup listing.
+Unable to connect with SMB1 -- no workgroup available
+
+[+] Attempting to map shares on 10.129.243.131
+
+
+ ===========================( Password Policy Information for 10.129.243.131 )===========================
+
+
+[E] Unexpected error from polenum:
+
+
+
+[+] Attaching to 10.129.243.131 using a NULL share
+
+[+] Trying protocol 139/SMB...
+
+	[!] Protocol failed: Cannot request session (Called Name:10.129.243.131)
+
+[+] Trying protocol 445/SMB...
+
+	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
+
+
+
+[E] Failed to get password policy with rpcclient
+
+
+
+ ======================================( Groups on 10.129.243.131 )======================================
+
+
+[+] Getting builtin groups:
+
+
+[+]  Getting builtin group memberships:
+
+
+[+]  Getting local groups:
+
+
+[+]  Getting local group memberships:
+
+
+[+]  Getting domain groups:
+
+
+[+]  Getting domain group memberships:
+
+
+ =================( Users on 10.129.243.131 via RID cycling (RIDS: 500-550,1000-1050) )=================
+
+
+[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
+
+
+ ==============================( Getting printer info for 10.129.243.131 )==============================
+
+do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
+
+
+enum4linux complete on Sat Oct 28 13:50:18 2023
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Nmap SMB.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 2s
+
+PORT    STATE    SERVICE     REASON      VERSION
+139/tcp filtered netbios-ssn no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.71 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBClient.md

@@ -0,0 +1,11 @@
+```bash
+smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt):
+
+```
+do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_IO_TIMEOUT)
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBMap.md

@@ -0,0 +1,66 @@
+```bash
+smbmap -H 10.129.243.131 -P 139 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 139 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/nbtscan.md

@@ -0,0 +1,12 @@
+```bash
+nbtscan -rvh 10.129.243.131 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt):
+
+```
+Doing NBT name scan for addresses from 10.129.243.131
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-3268-ldap/Nmap LDAP.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3268 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:48 CEST for 1s
+
+PORT     STATE    SERVICE       REASON      VERSION
+3268/tcp filtered globalcatLDAP no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.69 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-389-ldap/Nmap LDAP.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 389 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:48 CEST for 1s
+
+PORT    STATE    SERVICE REASON      VERSION
+389/tcp filtered ldap    no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.72 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/Nmap SMB.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 2s
+
+PORT    STATE    SERVICE      REASON      VERSION
+445/tcp filtered microsoft-ds no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/SMBMap.md

@@ -0,0 +1,66 @@
+```bash
+smbmap -H 10.129.243.131 -P 445 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 445 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```
+```bash
+smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt):
+
+```
+[!] 445 not open on 10.129.243.131....
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-464-kpasswd5/Nmap Kerberos.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 464 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 1s
+
+PORT    STATE    SERVICE  REASON      VERSION
+464/tcp filtered kpasswd5 no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.44 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Reverse Lookup.md

@@ -0,0 +1,18 @@
+```bash
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
+;; global options: +cmd
+;; no servers could be reached
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Zone Transfer.md

@@ -0,0 +1,19 @@
+```bash
+dig AXFR -p 53 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
+; (1 server found)
+;; global options: +cmd
+;; no servers could be reached
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/Nmap DNS.md

@@ -0,0 +1,23 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 2s
+
+PORT   STATE    SERVICE REASON      VERSION
+53/tcp filtered domain  no-response
+
+Host script results:
+|_dns-brute: Can't guess domain of "10.129.243.131"; use dns-brute.domain script argument.
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.81 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-593-ncacn_http/rpcdump.md

@@ -0,0 +1,15 @@
+```bash
+impacket-rpcdump -port 593 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt):
+
+```
+Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
+
+[*] Retrieving endpoint list from 10.129.243.131
+[-] Protocol failed: Could not connect: timed out
+[*] No endpoints found.
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl Robots.md

@@ -0,0 +1,3 @@
+```bash
+curl -sSikf http://10.129.243.131:80/robots.txt
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl.md

@@ -0,0 +1,60 @@
+```bash
+curl -sSik http://10.129.243.131:80/
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html):
+
+```
+HTTP/1.1 200 OK
+Content-Type: text/html
+Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT
+Accept-Ranges: bytes
+ETag: "0eaf6d7c895d71:0"
+Server: Microsoft-IIS/10.0
+Date: Sat, 28 Oct 2023 12:50:12 GMT
+Content-Length: 1034
+
+<!DOCTYPE html>
+<html lang="en" >
+<head>
+  <meta charset="UTF-8">
+  <title>Slandovia Energy</title>
+  <link rel='stylesheet' href='https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css'><link rel="stylesheet" href="./style.css">
+<script src="https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js"></script>
+
+</head>
+<body>
+<!-- partial:index.partial.html -->
+<link href='https://fonts.googleapis.com/css?family=Open+Sans|Maven+Pro:500' rel='stylesheet' type='text/css'>
+<div class="deco topdeco">
+  <span></span>
+  <span></span>
+  <span></span>
+  <span></span>
+  </div>
+
+  <h1>MegaCorp</h1>
+  <h3>
+    Slandovia Energy Grid
+  </h3>
+
+ <section class="list-wrap">
+
+   <label for="search-text">Check Status</label>
+  <input type="text" id="search-text" placeholder="search" class="search-box">
+    <span class="list-count"></span>
+
+
+<ul id="list">
+  <span class="empty-item">no results</span>
+</ul>
+   </section>
+
+<!-- partial -->
+<script  src="./script.js"></script>
+
+</body>
+</html>
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Directory Buster.md

@@ -0,0 +1,18 @@
+```bash
+feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
+
+```
+200      GET       25l       72w      692c http://10.129.243.131/script.js
+200      GET      215l      294w     3166c http://10.129.243.131/style.css
+200      GET       41l       66w     1034c http://10.129.243.131/
+200      GET       41l       66w     1034c http://10.129.243.131/Index.html
+200      GET        8l      168w     1092c http://10.129.243.131/LICENSE.txt
+200      GET        1l       14w      116c http://10.129.243.131/Search.php
+200      GET       41l       66w     1034c http://10.129.243.131/index.html
+200      GET        8l      168w     1092c http://10.129.243.131/license.txt
+200      GET        1l       14w      116c http://10.129.243.131/search.php
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Known Security.md

@@ -0,0 +1,3 @@
+```bash
+curl -sSikf http://10.129.243.131:80/.well-known/security.txt
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Nmap HTTP.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:48 CEST for 1s
+
+PORT   STATE    SERVICE REASON      VERSION
+80/tcp filtered http    no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 4.02 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/whatweb.md

@@ -0,0 +1,10 @@
+```bash
+whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt):
+
+```
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/wkhtmltoimage.md

@@ -0,0 +1,3 @@
+```bash
+wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-88-kerberos-sec/Nmap Kerberos.md

@@ -0,0 +1,20 @@
+```bash
+nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 88 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131
+Nmap scan report for 10.129.243.131
+Host is up, received user-set.
+Scanned at 2023-10-28 13:49:47 CEST for 1s
+
+PORT   STATE    SERVICE      REASON      VERSION
+88/tcp filtered kerberos-sec no-response
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-123-ntp/Nmap NTP.md

@@ -0,0 +1,22 @@
+```bash
+nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 123 "--script=banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set (0.056s latency).
+Scanned at 2023-10-28 14:15:19 CEST for 10s
+
+PORT    STATE SERVICE REASON               VERSION
+123/udp open  ntp     udp-response ttl 127 NTP v3
+| ntp-info: 
+|_  receive time stamp: 2023-10-28T12:15:20
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:15:29 2023 -- 1 IP address (1 host up) scanned in 11.02 seconds
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Reverse Lookup.md

@@ -0,0 +1,29 @@
+```bash
+dig -p 53 -x 10.129.243.131 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16548
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4000
+;; QUESTION SECTION:
+;131.243.129.10.in-addr.arpa.	IN	PTR
+
+;; Query time: 4303 msec
+;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
+;; WHEN: Sat Oct 28 14:15:33 CEST 2023
+;; MSG SIZE  rcvd: 56
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Zone Transfer.md

@@ -0,0 +1,21 @@
+```bash
+dig AXFR -p 53 @10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt):
+
+```
+;; communications error to 10.129.243.131#53: timed out
+;; communications error to 10.129.243.131#53: timed out
+
+; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
+; (1 server found)
+;; global options: +cmd
+;; Query time: 4299 msec
+;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
+;; WHEN: Sat Oct 28 14:15:33 CEST 2023
+;; MSG SIZE  rcvd: 28
+
+
+
+```

LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/Nmap DNS.md

@@ -0,0 +1,40 @@
+```bash
+nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
+```
+
+[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt):
+
+```
+# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml 10.129.243.131
+Nmap scan report for megacorp.htb (10.129.243.131)
+Host is up, received user-set.
+Scanned at 2023-10-28 14:15:19 CEST for 116s
+
+PORT   STATE SERVICE REASON       VERSION
+53/udp open  domain? udp-response
+| fingerprint-strings: 
+|   DNS-SD: 
+|     _services
+|     _dns-sd
+|     _udp
+|_    local
+| dns-nsec3-enum: 
+|_  DNSSEC NSEC3 not supported
+|_dns-cache-snoop: 0 of 100 tested domains are cached.
+| dns-nsec-enum: 
+|_  No NSEC records found
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFB97%P=x86_64-pc-linux-gnu%r(AFS
+SF:VersionRequest,20,"\0\0\x83\x81\0\0\0\0\0\0\0e\0\0\0\0\0\0\0\0\r\x05\0\
+SF:0\0\0\0\0\0\0\0\0")%r(DNS-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_servi
+SF:ces\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01");
+
+Host script results:
+| dns-brute: 
+|_  DNS Brute-force hostnames: No results.
+
+Read data files from: /usr/bin/../share/nmap
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Oct 28 14:17:15 2023 -- 1 IP address (1 host up) scanned in 116.97 seconds
+
+```