Team 3 Wiki Page

Signup Login
Team Information
Team Off and On Again logo
Number
Team 3
Name
Off and On Again
IP Range
201.203.200.0/24
Domain
team3.isucdc.com
Current Place
2nd
Red Teamer(s)
None
Flag Status
Blue Flags
AD C:\Windows\System32\ WWW /etc/ LP C:\Windows\System32\ WMS /etc/ DB /etc/ WWW admin_flag
Red Flags
AD C:\Users\Administrator\ WWW /root/ LP C:\Users\Administrator\ WMS /root/ DB /root/ DB New Table Deface the website
Service Status
AD LDAP
AD RDP
WWW HTTP
WWW SSH
LP RDP
LP SMB
WMS HTTP
WMS SSH
DB SSH
DB SQL
Nmap
Nmap scan report for ad.team3.isucdc.com (201.203.200.10)
Host is up (0.0093s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: team3.isucdc.com, Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ad.team3.isucdc.com
| Not valid before: 2026-03-31T00:16:14
|_Not valid after:  2026-09-30T00:16:14
| rdp-ntlm-info:
|   Target_Name: TEAM3
|   NetBIOS_Domain_Name: TEAM3
|   NetBIOS_Computer_Name: AD
|   DNS_Domain_Name: team3.isucdc.com
|   DNS_Computer_Name: ad.team3.isucdc.com
|   DNS_Tree_Name: team3.isucdc.com
|   Product_Version: 10.0.14393
|_  System_Time: 2026-04-25T18:00:00+00:00
|_ssl-date: 2026-04-25T18:00:40+00:00; -3s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2016 (89%), Microsoft Windows Server 2016 build 10586 - 14393 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   2.00 ms 201.203.200.10

Nmap scan report for wms.team3.isucdc.com (201.203.200.40)
Host is up (0.0010s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 9.6p1 Ubuntu 3ubuntu13.15+Fips1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 e7495fc92f08b02bfefd8e1e22c53c2a (ECDSA)
|_  256 9e61217add305851d4142b2551ffa628 (ED25519)
8080/tcp open  http-proxy
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 500
|     X-Upstream-Proxy: envoy-edge-gw-03
|     X-Origin-Cluster: k8s-prod-us-east-1
|     X-Legacy-Stack: php5-fpm
|     X-Backend-Shard: redis-shard-7
|     X-Canary-Percent: 0
|     X-Debug-Trace: disabled-by-policy
|     X-Internal-Only: false
|     X-Route-Flavor: monolith-v2
|     X-Feature-Flag-AuthV1: off
|     Content-Type: text/plain;charset=UTF-8
|     Content-Length: 106
|     Date: Sat, 25 Apr 2026 17:58:10 GMT
|     Connection: close
|     Whoops! An error occurred. Call CDC-BLUE-3 and let them know. Error code: dd46658f1f7849eab3f9cd5ecbf565a4
|   HTTPOptions:
|     HTTP/1.1 500
|     X-Upstream-Proxy: envoy-edge-gw-03
|     X-Origin-Cluster: k8s-prod-us-east-1
|     X-Legacy-Stack: php5-fpm
|     X-Backend-Shard: redis-shard-7
|     X-Canary-Percent: 0
|     X-Debug-Trace: disabled-by-policy
|     X-Internal-Only: false
|     X-Route-Flavor: monolith-v2
|     X-Feature-Flag-AuthV1: off
|     Content-Type: text/plain;charset=UTF-8
|     Content-Length: 106
|     Date: Sat, 25 Apr 2026 17:58:11 GMT
|     Connection: close
|     Whoops! An error occurred. Call CDC-BLUE-3 and let them know. Error code: c1afc70c8989422ba5c4b747c8e8b7a5
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 25 Apr 2026 17:58:11 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=4/25%Time=69ED00B4%P=i686-pc-windows-windows%
SF:r(GetRequest,1FD,"HTTP/1\.1\x20500\x20\r\nX-Upstream-Proxy:\x20envoy-ed
SF:ge-gw-03\r\nX-Origin-Cluster:\x20k8s-prod-us-east-1\r\nX-Legacy-Stack:\
SF:x20php5-fpm\r\nX-Backend-Shard:\x20redis-shard-7\r\nX-Canary-Percent:\x
SF:200\r\nX-Debug-Trace:\x20disabled-by-policy\r\nX-Internal-Only:\x20fals
SF:e\r\nX-Route-Flavor:\x20monolith-v2\r\nX-Feature-Flag-AuthV1:\x20off\r\
SF:nContent-Type:\x20text/plain;charset=UTF-8\r\nContent-Length:\x20106\r\
SF:nDate:\x20Sat,\x2025\x20Apr\x202026\x2017:58:10\x20GMT\r\nConnection:\x
SF:20close\r\n\r\nWhoops!\x20An\x20error\x20occurred\.\x20Call\x20CDC-BLUE
SF:-3\x20and\x20let\x20them\x20know\.\x20Error\x20code:\x20dd46658f1f7849e
SF:ab3f9cd5ecbf565a4")%r(HTTPOptions,1FD,"HTTP/1\.1\x20500\x20\r\nX-Upstre
SF:am-Proxy:\x20envoy-edge-gw-03\r\nX-Origin-Cluster:\x20k8s-prod-us-east-
SF:1\r\nX-Legacy-Stack:\x20php5-fpm\r\nX-Backend-Shard:\x20redis-shard-7\r
SF:\nX-Canary-Percent:\x200\r\nX-Debug-Trace:\x20disabled-by-policy\r\nX-I
SF:nternal-Only:\x20false\r\nX-Route-Flavor:\x20monolith-v2\r\nX-Feature-F
SF:lag-AuthV1:\x20off\r\nContent-Type:\x20text/plain;charset=UTF-8\r\nCont
SF:ent-Length:\x20106\r\nDate:\x20Sat,\x2025\x20Apr\x202026\x2017:58:11\x2
SF:0GMT\r\nConnection:\x20close\r\n\r\nWhoops!\x20An\x20error\x20occurred\
SF:.\x20Call\x20CDC-BLUE-3\x20and\x20let\x20them\x20know\.\x20Error\x20cod
SF:e:\x20c1afc70c8989422ba5c4b747c8e8b7a5")%r(RTSPRequest,24E,"HTTP/1\.1\x
SF:20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Langua
SF:ge:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Sat,\x2025\x20Apr\x2020
SF:26\x2017:58:11\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>
SF:<html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93
SF:\x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{font-fam
SF:ily:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white
SF:;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-s
SF:ize:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x2
SF:0{color:black;}\x20\.line\x20{height:1px;background-color:#525D76;borde
SF:r:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\
SF:x20Bad\x20Request</h1></body></html>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 4.15 - 5.6 (90%), Linux 5.0 - 5.3 (88%), Linux 2.6.32 (85%), Linux 3.2 - 4.9 (85%), Linux 5.0 - 5.4 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   2.00 ms 201.203.200.40

Nmap scan report for lp.team3.isucdc.com (201.203.200.30)
Host is up (0.0089s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: TEAM3
|   NetBIOS_Domain_Name: TEAM3
|   NetBIOS_Computer_Name: LP
|   DNS_Domain_Name: team3.isucdc.com
|   DNS_Computer_Name: LP.team3.isucdc.com
|   DNS_Tree_Name: team3.isucdc.com
|   Product_Version: 10.0.17763
|_  System_Time: 2026-04-25T18:00:01+00:00
|_ssl-date: 2026-04-25T18:00:40+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=LP.team3.isucdc.com
| Not valid before: 2026-04-01T06:42:32
|_Not valid after:  2026-10-01T06:42:32
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -3s, deviation: 0s, median: -3s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2026-04-25T18:00:05
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   1.00 ms 201.203.200.30

Nmap scan report for db.team3.isucdc.com (201.203.200.50)
Host is up (0.00071s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10+esm7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6e1b4849662d45a0bf1bcbe04e0ec7e5 (RSA)
|   256 03cc925bc5559b54d9aebe7cf9e99f85 (ECDSA)
|_  256 b7ceb171bc9e20b50c3c1accac9b8598 (ED25519)
3306/tcp open  mysql   MySQL 5.7.44-0ubuntu0.16.04.1+esm1-log
|_ssl-date: TLS randomness does not represent time
| mysql-info:
|   Protocol: 10
|   Version: 5.7.44-0ubuntu0.16.04.1+esm1-log
|   Thread ID: 702
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, IgnoreSigpipes, Speaks41ProtocolNew, InteractiveClient, LongPassword, SwitchToSSLAfterHandshake, FoundRows, SupportsCompression, IgnoreSpaceBeforeParenthesis, LongColumnFlag, ConnectWithDatabase, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: 4Y\x1E2Bv8,\x7F\x1D2lKn,]^u   \x0D
|_  Auth Plugin Name: mysql_native_password
| ssl-cert: Subject: commonName=MySQL_Server_5.7.33_Auto_Generated_Server_Certificate
| Not valid before: 2026-02-19T19:12:19
|_Not valid after:  2036-02-17T19:12:19
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (90%), Linksys EA3500 WAP (90%), Linux 3.16 (88%), Linux 3.13 (88%), Linux 3.16 - 4.6 (86%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (85%), Android 5.0 - 6.0.1 (Linux 3.4) (85%), Linux 2.6.32 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   1.00 ms 201.203.200.50

Nmap scan report for www.team3.isucdc.com (201.203.200.20)
Host is up (0.00077s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   3072 ae4e51c78f4aabd8b946709618e22a1a (RSA)
|   256 483acfc1e17b5841d20e95d38c107ab6 (ECDSA)
|_  256 4d07f5a81d5836abbd954f3f303e9e7b (ED25519)
80/tcp open  http    gunicorn
|_http-title: Home
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.0 400 BAD REQUEST
|     Server: gunicorn
|     Date: Sat, 25 Apr 2026 17:58:09 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 167
|     X-Team-Signature: oaoa
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     Referrer-Policy: strict-origin-when-cross-origin
|     Permissions-Policy: camera=(), microphone=(), geolocation=()
|     Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'; object-src 'none'; base-uri 'self';
|     Vary: Cookie
|     <!doctype html>
|     <html lang=en>
|     <title>400 Bad Request</title>
|     <h1>Bad Request</h1>
|     <p>The browser (or proxy) sent a request that this server could not understand.</p>
|   RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=4/25%Time=69ED00B5%P=i686-pc-windows-windows%r(
SF:GetRequest,2CE,"HTTP/1\.0\x20400\x20BAD\x20REQUEST\r\nServer:\x20gunico
SF:rn\r\nDate:\x20Sat,\x2025\x20Apr\x202026\x2017:58:09\x20GMT\r\nConnecti
SF:on:\x20close\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent
SF:-Length:\x20167\r\nX-Team-Signature:\x20oaoa\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nX-Frame-Options:\x20DENY\r\nReferrer-Policy:\x20strict-o
SF:rigin-when-cross-origin\r\nPermissions-Policy:\x20camera=\(\),\x20micro
SF:phone=\(\),\x20geolocation=\(\)\r\nContent-Security-Policy:\x20default-
SF:src\x20'self';\x20script-src\x20'self';\x20style-src\x20'self';\x20img-
SF:src\x20'self'\x20data:;\x20font-src\x20'self';\x20frame-ancestors\x20'n
SF:one';\x20object-src\x20'none';\x20base-uri\x20'self';\r\nVary:\x20Cooki
SF:e\r\n\r\n<!doctype\x20html>\n<html\x20lang=en>\n<title>400\x20Bad\x20Re
SF:quest</title>\n<h1>Bad\x20Request</h1>\n<p>The\x20browser\x20\(or\x20pr
SF:oxy\)\x20sent\x20a\x20request\x20that\x20this\x20server\x20could\x20not
SF:\x20understand\.</p>\n")%r(HTTPOptions,2CE,"HTTP/1\.0\x20400\x20BAD\x20
SF:REQUEST\r\nServer:\x20gunicorn\r\nDate:\x20Sat,\x2025\x20Apr\x202026\x2
SF:017:58:09\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20text/html;
SF:\x20charset=utf-8\r\nContent-Length:\x20167\r\nX-Team-Signature:\x20oao
SF:a\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20DENY\r\n
SF:Referrer-Policy:\x20strict-origin-when-cross-origin\r\nPermissions-Poli
SF:cy:\x20camera=\(\),\x20microphone=\(\),\x20geolocation=\(\)\r\nContent-
SF:Security-Policy:\x20default-src\x20'self';\x20script-src\x20'self';\x20
SF:style-src\x20'self';\x20img-src\x20'self'\x20data:;\x20font-src\x20'sel
SF:f';\x20frame-ancestors\x20'none';\x20object-src\x20'none';\x20base-uri\
SF:x20'self';\r\nVary:\x20Cookie\r\n\r\n<!doctype\x20html>\n<html\x20lang=
SF:en>\n<title>400\x20Bad\x20Request</title>\n<h1>Bad\x20Request</h1>\n<p>
SF:The\x20browser\x20\(or\x20proxy\)\x20sent\x20a\x20request\x20that\x20th
SF:is\x20server\x20could\x20not\x20understand\.</p>\n")%r(RTSPRequest,121,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<he
SF:ad>\n\x20\x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x
SF:20\x20<body>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\
SF:x20\x20Invalid\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\
SF:x20&#x27;RTSP/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (90%), Linksys embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:linux:linux_kernel cpe:/h:linksys:ea3500 cpe:/o:linux:linux_kernel:2.6.32
Aggressive OS guesses: Linux 3.2 - 4.9 (90%), Linux 5.1 (86%), Linksys EA3500 WAP (85%), Linux 2.6.32 (85%), Linux 4.15 - 5.6 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   1.00 ms 201.203.200.20

Post-scan script results:
| clock-skew:
|   -3s:
|     201.203.200.10 (ad.team3.isucdc.com)
|_    201.203.200.30 (lp.team3.isucdc.com)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 5 IP addresses (5 hosts up) scanned in 190.77 seconds
Notable Vulnerabilities
Add content here...
Notable Defenses
Add content here...
Team Spirit Issues
Add content here...