InfoSec LAB

FriendZone_DNS

Created: 2 min read

DNS

Nmap discovered a DNS server on the target port 53 The service running is ISC BIND 9.11.3

FRIENDZONE.RED

friendzone.red is originally enumerated the CN of the SSL certificate

nslookup

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ nslookup
> server 10.10.10.123
default server: 10.10.10.123
address: 10.10.10.123#53
> 127.0.0.1
;; communications error to 10.10.10.123#53: timed out
1.0.0.127.in-addr.arpa	name = localhost.
> 10.10.10.123
;; communications error to 10.10.10.123#53: timed out
** server can't find 123.10.10.10.in-addr.arpa: NXDOMAIN

Reverse lookup doesn’t reveal anything.

Zone Transfer

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ dig axfr FRIENDZONE @$IP 

; <<>> DiG 9.18.10-2-Debian <<>> axfr FRIENDZONE @10.10.10.123
;; global options: +cmd
; Transfer failed.

I am not getting much out of it if I query for the hostname alone

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ dig axfr FRIENDZONE.RED @$IP

; <<>> DiG 9.18.10-2-Debian <<>> axfr FRIENDZONE.RED @10.10.10.123
;; global options: +cmd
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzone.red.		604800	IN	AAAA	::1
friendzone.red.		604800	IN	NS	localhost.
friendzone.red.		604800	IN	A	127.0.0.1
administrator1.friendzone.red. 604800 IN A	127.0.0.1
hr.friendzone.red.	604800	IN	A	127.0.0.1
uploads.friendzone.red.	604800	IN	A	127.0.0.1
friendzone.red.		604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Thu Jan 26 03:04:47 CET 2023
;; XFR size: 8 records (messages 1, bytes 303)

Querying for the CN enumerated from the SSL certificate I am able to get a lot of domain information by zone transfer I see there are A records for:

  • administrator1.friendzone.red
  • hr.friendzone.red
  • uploads.friendzone.red

Those are appended to the /etc/hosts file on Kali

FRIENDZONEPORTAL.RED

FRIENDZONEPORTAL.RED was discovered upon reaching the web root on the target port 80

Appended to the /etc/hosts file on Kali

Zone Transfer

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ dig axfr FRIENDZONEPORTAL.RED @$IP                                                                                   

; <<>> DiG 9.18.10-2-Debian <<>> axfr FRIENDZONEPORTAL.RED @10.10.10.123
;; global options: +cmd
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
friendzoneportal.red.	604800	IN	AAAA	::1
friendzoneportal.red.	604800	IN	NS	localhost.
friendzoneportal.red.	604800	IN	A	127.0.0.1
admin.friendzoneportal.red. 604800 IN	A	127.0.0.1
files.friendzoneportal.red. 604800 IN	A	127.0.0.1
imports.friendzoneportal.red. 604800 IN	A	127.0.0.1
vpn.friendzoneportal.red. 604800 IN	A	127.0.0.1
friendzoneportal.red.	604800	IN	SOA	localhost. root.localhost. 2 604800 86400 2419200 604800
;; Query time: 32 msec
;; SERVER: 10.10.10.123#53(10.10.10.123) (TCP)
;; WHEN: Thu Jan 26 03:23:46 CET 2023
;; XFR size: 9 records (messages 1, bytes 329)

Zone transfer reveals a bunch more sub-domains to friendzdoneportal.red

Appended to the /etc/hosts file on Kali

Interactive Graph View

Backlinks