InfoSec LAB

Ghost_DNS

Created: 3 min read

DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nslookup     
> server 10.10.11.24
Default server: 10.10.11.24
Address: 10.10.11.24#53
 
> localhost
Server:		10.10.11.24
Address:	10.10.11.24#53
 
Non-authoritative answer:
Name:	localhost
Address: 127.0.0.1
** server can't find localhost: SERVFAIL
 
> dc01.ghost.htb
Server:		10.10.11.24
Address:	10.10.11.24#53
 
Name:	dc01.ghost.htb
Address: 10.10.11.24
Name:	dc01.ghost.htb
Address: 10.0.0.254
 
> ghost.htb
Server:		10.10.11.24
Address:	10.10.11.24#53
 
Name:	ghost.htb
Address: 127.0.0.1
Name:	ghost.htb
Address: 10.0.0.254
Name:	ghost.htb
Address: 10.10.11.24
 
> core.ghost.htb
Server:		10.10.11.24
Address:	10.10.11.24#53
 
Name:	core.ghost.htb
Address: 127.0.0.1

dig

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ dig any GHOST.HTB @$IP
 
; <<>> DiG 9.19.21-1-Debian <<>> any GHOST.HTB @10.10.11.24
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5867
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;GHOST.HTB.			IN	ANY
 
;; ANSWER SECTION:
GHOST.HTB.		600	IN	A	10.0.0.254
GHOST.HTB.		600	IN	A	10.10.11.24
GHOST.HTB.		3600	IN	A	127.0.0.1
GHOST.HTB.		3600	IN	NS	dc01.GHOST.HTB.
GHOST.HTB.		3600	IN	SOA	dc01.GHOST.HTB. hostmaster.GHOST.HTB. 223 900 600 86400 3600
 
;; ADDITIONAL SECTION:
dc01.GHOST.HTB.		3600	IN	A	10.0.0.254
dc01.GHOST.HTB.		3600	IN	A	10.10.11.24
 
;; Query time: 20 msec
;; SERVER: 10.10.11.24#53(10.10.11.24) (TCP)
;; WHEN: Mon Jul 15 11:16:27 CEST 2024
;; MSG SIZE  rcvd: 184

Querying for the domain revealed the DC host; dc01.ghost.htb

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ dnsenum GHOST.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
 
-----   ghost.htb   -----
 
 
Host's addresses:
__________________
 
ghost.htb.                               600      IN    A        10.10.11.24
ghost.htb.                               600      IN    A         127.0.0.1
ghost.htb.                               600      IN    A        10.0.0.254
 
 
Name Servers:
______________
 
dc01.ghost.htb.                          3600     IN    A        10.10.11.24
dc01.ghost.htb.                          3600     IN    A        10.0.0.254
 
 
Mail (MX) Servers:
___________________
 
 
 
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
 
unresolvable name: dc01.ghost.htb at /usr/bin/dnsenum line 892 thread 1.
 
Trying Zone Transfer for ghost.htb on dc01.ghost.htb ... 
AXFR record query failed: no nameservers
 
 
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
 
intranet.ghost.htb.                      3600     IN    A         127.0.0.1
corp.ghost.htb.                          575      IN    A         10.0.0.10
core.ghost.htb.                          3600     IN    A         127.0.0.1
gc._msdcs.ghost.htb.                     600      IN    A         10.0.0.10
gc._msdcs.ghost.htb.                     600      IN    A        10.0.0.254
gc._msdcs.ghost.htb.                     600      IN    A        10.10.11.24
domaindnszones.ghost.htb.                600      IN    A        10.0.0.254
domaindnszones.ghost.htb.                600      IN    A        10.10.11.24
forestdnszones.ghost.htb.                600      IN    A        10.10.11.24
forestdnszones.ghost.htb.                600      IN    A         10.0.0.10
forestdnszones.ghost.htb.                600      IN    A        10.0.0.254
federation.ghost.htb.                    3600     IN    A         127.0.0.1
dc01.ghost.htb.                          3600     IN    A        10.0.0.254
dc01.ghost.htb.                          3600     IN    A        10.10.11.24
 
 
ghost.htb class C netranges:
_____________________________
 
 
 
Performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
ghost.htb ip blocks:
_____________________
 
 
done.

dnsenum found additional A records;

  • intranet.ghost.htb
  • corp.ghost.htb
  • core.ghost.htb
  • federation.ghost.htb

The /etc/hosts file on Kali has been updated

dnsrecon

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ dnsrecon -d GHOST.HTB -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16       
[*] std: Performing General Enumeration against: GHOST.HTB...
[-] DNSSEC is not configured for GHOST.HTB
[*] 	 SOA dc01.GHOST.HTB 10.0.0.254
[*] 	 SOA dc01.GHOST.HTB 10.10.11.24
[*] 	 NS dc01.GHOST.HTB 10.0.0.254
[*] 	 NS dc01.GHOST.HTB 10.10.11.24
[*] 	 A GHOST.HTB 127.0.0.1
[*] 	 A GHOST.HTB 10.0.0.254
[*] 	 A GHOST.HTB 10.10.11.24
[*] Enumerating SRV Records
[+] 	 SRV _kerberos._tcp.GHOST.HTB dc01.ghost.htb 10.10.11.24 88
[+] 	 SRV _kerberos._tcp.GHOST.HTB dc01.ghost.htb 10.0.0.254 88
[+] 	 SRV _ldap._tcp.pdc._msdcs.GHOST.HTB dc01.ghost.htb 10.0.0.254 389
[+] 	 SRV _ldap._tcp.pdc._msdcs.GHOST.HTB dc01.ghost.htb 10.10.11.24 389
[+] 	 SRV _kpasswd._tcp.GHOST.HTB dc01.ghost.htb 10.10.11.24 464
[+] 	 SRV _kpasswd._tcp.GHOST.HTB dc01.ghost.htb 10.0.0.254 464
[+] 	 SRV _ldap._tcp.gc._msdcs.GHOST.HTB primary.corp.ghost.htb 10.0.0.10 3268
[+] 	 SRV _ldap._tcp.gc._msdcs.GHOST.HTB dc01.ghost.htb 10.0.0.254 3268
[+] 	 SRV _ldap._tcp.gc._msdcs.GHOST.HTB dc01.ghost.htb 10.10.11.24 3268
[+] 	 SRV _ldap._tcp.dc._msdcs.GHOST.HTB dc01.ghost.htb 10.10.11.24 389
[+] 	 SRV _ldap._tcp.dc._msdcs.GHOST.HTB dc01.ghost.htb 10.0.0.254 389
[+] 	 SRV _ldap._tcp.ForestDNSZones.GHOST.HTB primary.corp.ghost.htb 10.0.0.10 389
[+] 12 Records Found

Interactive Graph View

Backlinks