DNS
Nmap discovered a DNS server running on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ nslookup
> server 10.10.11.222
Default server: 10.10.11.222
Address: 10.10.11.222#53
> 127.0.0.1
;; communications error to 10.10.11.222#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> AUTHORITY.HTB
Server: 10.10.11.222
Address: 10.10.11.222#53
Name: AUTHORITY.HTB
Address: 10.10.11.222
Name: AUTHORITY.HTB
Address: dead:beef::210
Name: AUTHORITY.HTB
Address: dead:beef::1fff:856d:2473:8cb6
> authority.htb.corp
;; communications error to 10.10.11.222#53: timed out
Server: 10.10.11.222
Address: 10.10.11.222#53
Name: authority.htb.corp
Address: 10.10.11.222
Name: authority.htb.corp
Address: dead:beef::210
Name: authority.htb.corp
Address: dead:beef::1fff:856d:2473:8cb6
> htb.corp
;; communications error to 10.10.11.222#53: timed out
Server: 10.10.11.222
Address: 10.10.11.222#53
Name: htb.corp
Address: 10.10.11.222
Name: htb.corp
Address: dead:beef::1fff:856d:2473:8cb6
Name: htb.corp
Address: dead:beef::2102 Additional IPv6 addresses found;
dead:beef::210dead:beef::1fff:856d:2473:8cb6
dig
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ dig any @$IP AUTHORITY.HTB
; <<>> DiG 9.18.10-2-Debian <<>> any @10.10.11.222 AUTHORITY.HTB
; (1 server found)
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 55771
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;AUTHORITY.HTB. IN ANY
;; answer section:
AUTHORITY.HTB. 600 IN A 10.10.11.222
AUTHORITY.HTB. 3600 IN NS authority.AUTHORITY.HTB.
AUTHORITY.HTB. 3600 IN SOA authority.AUTHORITY.HTB. hostmaster.htb.corp. 174 900 600 86400 3600
authority.htb. 600 in aaaa dead:beef::1fff:856d:2473:8cb6
authority.htb. 600 in aaaa dead:beef::210
;; additional section:
authority.AUTHORITY.HTB. 3600 IN A 10.10.11.222
authority.authority.htb. 3600 in aaaa dead:beef::1fff:856d:2473:8cb6
authority.authority.htb. 3600 in aaaa dead:beef::210
;; query time: 86 msec
;; server: 10.10.11.222#53(10.10.11.222) (TCP)
;; when: Mon Jul 17 14:44:20 CEST 2023
;; msg size rcvd: 265there are those 2 same ipv6 addresses, dead:beef::1fff:856d:2473:8cb6 and dead:beef::210
Additionally, the returned data shows the target system is authority.AUTHORITY.HTB rather than what I saw earlier from the Nmap scan result
I will throw it into the /etc/hosts file just in case
IPv6
Since both nslookup and dig returned 2 additional IPv6 addresses, I will check them out
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ rustscan -a dead:beef::1fff:856d:2473:8cb6 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::1fff:856d:2473:8cb6]:53
Open [dead:beef::1fff:856d:2473:8cb6]:80
Open [dead:beef::1fff:856d:2473:8cb6]:88
Open [dead:beef::1fff:856d:2473:8cb6]:135
Open [dead:beef::1fff:856d:2473:8cb6]:389
Open [dead:beef::1fff:856d:2473:8cb6]:445
Open [dead:beef::1fff:856d:2473:8cb6]:464
Open [dead:beef::1fff:856d:2473:8cb6]:593
Open [dead:beef::1fff:856d:2473:8cb6]:636
Open [dead:beef::1fff:856d:2473:8cb6]:3268
Open [dead:beef::1fff:856d:2473:8cb6]:3269
Open [dead:beef::1fff:856d:2473:8cb6]:5985
Open [dead:beef::1fff:856d:2473:8cb6]:8443
Open [dead:beef::1fff:856d:2473:8cb6]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ rustscan -a dead:beef::210 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::210]:53
Open [dead:beef::210]:80
Open [dead:beef::210]:88
Open [dead:beef::210]:135
Open [dead:beef::210]:389
Open [dead:beef::210]:445
Open [dead:beef::210]:464
Open [dead:beef::210]:593
Open [dead:beef::210]:636
Open [dead:beef::210]:3268
Open [dead:beef::210]:3269
Open [dead:beef::210]:5985
Open [dead:beef::210]:8443
Open [dead:beef::210]:9389Those 2 additional IPv6 addresses don’t appear to be any different that the IPv4 counterpart
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ dnsenum AUTHORITY.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum version:1.2.6
----- authority.htb -----
host's addresses:
__________________
authority.htb. 600 IN A 10.10.11.222
name servers:
______________
authority.authority.htb. 3600 IN A 10.10.11.222
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: authority.authority.htb at /usr/bin/dnsenum line 900.
Trying Zone Transfer for authority.htb on authority.authority.htb ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
gc._msdcs.authority.htb. 600 IN A 10.10.11.222
domaindnszones.authority.htb. 600 IN A 10.10.11.222
forestdnszones.authority.htb. 600 IN A 10.10.11.222
authority.htb class c netranges:
_________________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
authority.htb ip blocks:
_________________________
done.Nothing found