DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ nslookup
> server 10.10.10.248
Default server: 10.10.10.248
Address: 10.10.10.248#53
> 127.0.0.1
;; communications error to 10.10.10.248#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> dc
Server: 10.10.10.248
Address: 10.10.10.248#53
** server can't find dc: SERVFAIL
> dc.intelligence.htb
;; communications error to 10.10.10.248#53: timed out
Server: 10.10.10.248
Address: 10.10.10.248#53
Name: dc.intelligence.htb
Address: 10.10.10.248
Name: dc.intelligence.htb
Address: dead:beef::23b
Name: dc.intelligence.htb
Address: dead:beef::95e:6ab2:ad09:42c7While reverse lookup failed, querying for the FQDN resulted 2 additional following IPv6 addresses;
dead:beef::23bdead:beef::95e:6ab2:ad09:42c7
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ rustscan -a dead:beef::23b -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::23b]:53
open [dead:beef::23b]:80
open [dead:beef::23b]:88
open [dead:beef::23b]:135
open [dead:beef::23b]:389
open [dead:beef::23b]:445
open [dead:beef::23b]:464
open [dead:beef::23b]:593
open [dead:beef::23b]:636
open [dead:beef::23b]:3268
open [dead:beef::23b]:3269
open [dead:beef::23b]:5985
open [dead:beef::23b]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ rustscan -a dead:beef::95e:6ab2:ad09:42c7 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::95e:6ab2:ad09:42c7]:53
open [dead:beef::95e:6ab2:ad09:42c7]:80
open [dead:beef::95e:6ab2:ad09:42c7]:88
open [dead:beef::95e:6ab2:ad09:42c7]:135
open [dead:beef::95e:6ab2:ad09:42c7]:389
open [dead:beef::95e:6ab2:ad09:42c7]:445
open [dead:beef::95e:6ab2:ad09:42c7]:464
open [dead:beef::95e:6ab2:ad09:42c7]:593
open [dead:beef::95e:6ab2:ad09:42c7]:636
open [dead:beef::95e:6ab2:ad09:42c7]:3268
open [dead:beef::95e:6ab2:ad09:42c7]:3269
open [dead:beef::95e:6ab2:ad09:42c7]:5985
open [dead:beef::95e:6ab2:ad09:42c7]:9389Same result as the IPv4 counterpart. No additional service found on those IPv6 address
dig
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ dig any @$IP INTELLIGENCE.HTB
; <<>> DiG 9.18.16-1-Debian <<>> any @10.10.10.248 INTELLIGENCE.HTB
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60513
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;INTELLIGENCE.HTB. IN ANY
;; ANSWER SECTION:
INTELLIGENCE.HTB. 600 IN A 10.10.10.248
INTELLIGENCE.HTB. 3600 IN NS dc.INTELLIGENCE.HTB.
INTELLIGENCE.HTB. 3600 IN SOA dc.INTELLIGENCE.HTB. hostmaster.INTELLIGENCE.HTB. 76 900 600 86400 3600
INTELLIGENCE.HTB. 600 IN AAAA dead:beef::23b
INTELLIGENCE.HTB. 600 IN AAAA dead:beef::95e:6ab2:ad09:42c7
;; ADDITIONAL SECTION:
dc.INTELLIGENCE.HTB. 1200 IN A 10.10.10.248
dc.INTELLIGENCE.HTB. 1200 IN AAAA dead:beef::95e:6ab2:ad09:42c7
dc.INTELLIGENCE.HTB. 1200 IN AAAA dead:beef::23b
;; Query time: 196 msec
;; SERVER: 10.10.10.248#53(10.10.10.248) (TCP)
;; WHEN: Tue Sep 26 14:29:39 CEST 2023
;; MSG SIZE rcvd: 253dig also revealed those 2 IPv6 addresses
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ dnsenum INTELLIGENCE.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
dnsenum version:1.2.6
----- intelligence.htb -----
host's addresses:
__________________
intelligence.htb. 600 IN A 10.10.10.248
name servers:
______________
dc.intelligence.htb. 1200 IN A 10.10.10.248
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: dc.intelligence.htb at /usr/bin/dnsenum line 900.
Trying Zone Transfer for intelligence.htb on dc.intelligence.htb ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
dc.intelligence.htb. 1200 IN A 10.10.10.248
gc._msdcs.intelligence.htb. 600 IN A 10.10.10.248
domaindnszones.intelligence.htb. 600 IN A 10.10.10.248
forestdnszones.intelligence.htb. 600 IN A 10.10.10.248
intelligence.htb class c netranges:
_______________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
intelligence.htb ip blocks:
_______________________
done.Nothing found