DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ nslookup
> server 10.10.11.202
Default server: 10.10.11.202
Address: 10.10.11.202#53
> 127.0.0.1
;; communications error to 10.10.11.202#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> sequel.htb
Server: 10.10.11.202
Address: 10.10.11.202#53
Name: sequel.htb
Address: 10.10.11.202
Name: sequel.htb
Address: dead:beef::a5e6:801b:8c97:b8f
Name: sequel.htb
Address: dead:beef::21c
> dc.sequel.htb
;; communications error to 10.10.11.202#53: timed out
Server: 10.10.11.202
Address: 10.10.11.202#53
Name: dc.sequel.htb
Address: 10.10.11.202
Name: dc.sequel.htb
Address: dead:beef::21c
Name: dc.sequel.htb
Address: dead:beef::a5e6:801b:8c97:b8fWhile reverse lookup failed for the localhost address, 2 additional IPv6 addresses were discovered; dead:beef::21c and dead:beef::a5e6:801b:8c97:b8f
dig
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ dig ANY sequel.htb @$IP
; <<>> DiG 9.18.16-1-Debian <<>> ANY sequel.htb @10.10.11.202
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 6610
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;sequel.htb. IN ANY
;; answer section:
sequel.htb. 600 IN A 10.10.11.202
sequel.htb. 3600 IN NS dc.sequel.htb.
sequel.htb. 3600 IN SOA dc.sequel.htb. hostmaster.sequel.htb. 130 900 600 86400 3600
sequel.htb. 600 in aaaa dead:beef::21c
sequel.htb. 600 in aaaa dead:beef::a5e6:801b:8c97:b8f
;; additional section:
dc.sequel.htb. 1200 IN A 10.10.11.202
dc.sequel.htb. 1200 in aaaa dead:beef::a5e6:801b:8c97:b8f
dc.sequel.htb. 1200 in aaaa dead:beef::21c
;; query time: 96 msec
;; server: 10.10.11.202#53(10.10.11.202) (TCP)
;; when: Sat Aug 12 17:26:50 CEST 2023
;; msg size rcvd: 247Those 2 IPv6 addresses are returned from the dig output above
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ dnsenum SEQUEL.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum VERSION:1.2.6
----- sequel.htb -----
Host's addresses:
__________________
sequel.htb. 600 IN A 10.10.11.202
Name Servers:
______________
dc.sequel.htb. 3600 IN A 10.10.11.202
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: dc.sequel.htb at /usr/bin/dnsenum line 900.
Trying Zone Transfer for sequel.htb on dc.sequel.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
dc.sequel.htb. 3600 IN A 10.10.11.202
gc._msdcs.sequel.htb. 600 IN A 10.10.11.202
domaindnszones.sequel.htb. 600 IN A 10.10.11.202
forestdnszones.sequel.htb. 600 IN A 10.10.11.202
sequel.htb class C netranges:
______________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
sequel.htb ip blocks:
______________________
done.Nothing found
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ rustscan -a dead:beef::21c -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::21c]:53
open [dead:beef::21c]:88
open [dead:beef::21c]:135
open [dead:beef::21c]:389
open [dead:beef::21c]:445
open [dead:beef::21c]:464
open [dead:beef::21c]:593
open [dead:beef::21c]:636
open [dead:beef::21c]:3268
open [dead:beef::21c]:3269
open [dead:beef::21c]:5985
open [dead:beef::21c]:9389
open [dead:beef::21c]:49667
open [dead:beef::21c]:49687
open [dead:beef::21c]:49688
open [dead:beef::21c]:49704
open [dead:beef::21c]:49712
open [dead:beef::21c]:50658
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ rustscan -a dead:beef::a5e6:801b:8c97:b8f -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::a5e6:801b:8c97:b8f]:53
open [dead:beef::a5e6:801b:8c97:b8f]:88
open [dead:beef::a5e6:801b:8c97:b8f]:135
open [dead:beef::a5e6:801b:8c97:b8f]:389
open [dead:beef::a5e6:801b:8c97:b8f]:445
open [dead:beef::a5e6:801b:8c97:b8f]:464
open [dead:beef::a5e6:801b:8c97:b8f]:593
open [dead:beef::a5e6:801b:8c97:b8f]:636
open [dead:beef::a5e6:801b:8c97:b8f]:3268
open [dead:beef::a5e6:801b:8c97:b8f]:3269
open [dead:beef::a5e6:801b:8c97:b8f]:5985
open [dead:beef::a5e6:801b:8c97:b8f]:9389
open [dead:beef::a5e6:801b:8c97:b8f]:49667
open [dead:beef::a5e6:801b:8c97:b8f]:49687
open [dead:beef::a5e6:801b:8c97:b8f]:49688
open [dead:beef::a5e6:801b:8c97:b8f]:49704
open [dead:beef::a5e6:801b:8c97:b8f]:49712
open [dead:beef::a5e6:801b:8c97:b8f]:50658No additional service was found from those 2 IPv6 addresses