InfoSec LAB

Cronos_DNS

Created: 3 min read

DNS

Nmap discovered a DNS server on the target port 53

nslookup

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ nslookup
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 127.0.0.1
;; communications error to 10.10.10.13#53: timed out
1.0.0.127.in-addr.arpa	name = localhost.
> 10.10.10.13
;; communications error to 10.10.10.13#53: timed out
13.10.10.10.in-addr.arpa	name = ns1.cronos.htb.

It has a name server ns1.cronos.htb

I appended the domain information to the /etc/hosts file on Kali for local DNS resolution

dig

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ dig any cronos.htb @$IP

; <<>> DiG 9.18.10-2-Debian <<>> any cronos.htb @10.10.10.13
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 26938
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; opt pseudosection:
; edns: version: 0, flags:; udp: 4096
;; question section:
;cronos.htb.			IN	ANY

;; answer section:
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13

;; additional section:
ns1.cronos.htb.		604800	IN	A	10.10.10.13

;; query time: 23 msec
;; server: 10.10.10.13#53(10.10.10.13) (TCP)
;; when: Mon Jan 16 17:40:39 CET 2023
;; msg size  rcvd: 131

Found a new SOA record, indicating there is a zone within this domain

Zone Transfer

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ dig axfr cronos.htb @$IP

; <<>> DiG 9.18.10-2-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.		604800	IN	NS	ns1.cronos.htb.
cronos.htb.		604800	IN	A	10.10.10.13
admin.cronos.htb.	604800	IN	A	10.10.10.13
ns1.cronos.htb.		604800	IN	A	10.10.10.13
www.cronos.htb.		604800	IN	A	10.10.10.13
cronos.htb.		604800	IN	SOA	cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 27 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Mon Jan 16 17:42:03 CET 2023
;; XFR size: 7 records (messages 1, bytes 203)

Zone Transfer resulted in another A records discovery; www.cronos.htb

I updated the /etc/hosts files on Kali

DNSEnum

┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ dnsenum cronos.htb --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 
dnsenum version:1.2.6
 
-----   cronos.htb   -----
 
 
host's addresses:
__________________
 
cronos.htb.                              604800   IN    A        10.10.10.13
 
 
name servers:
______________
 
ns1.cronos.htb.                          604800   IN    A        10.10.10.13
 
 
mail (mx) servers:
___________________
 
 
 
trying zone transfers and getting bind versions:
_________________________________________________
 
unresolvable name: ns1.cronos.htb at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for cronos.htb on ns1.cronos.htb ... 
axfr record query failed: no nameservers
 
 
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
 
www.cronos.htb.                          604800   IN    A        10.10.10.13
ns1.cronos.htb.                          604800   IN    A        10.10.10.13
admin.cronos.htb.                        604800   IN    A        10.10.10.13
 
 
cronos.htb class c netranges:
______________________________
 
 
 
performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
cronos.htb ip blocks:
______________________
 
 
done.

This is all valuable information that I will be able to use for web enumeration

Interactive Graph View

Backlinks