DNS
Nmap discovered a DNS server on the target port 53
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ nslookup
> server 10.10.11.175
Default server: 10.10.11.175
Address: 10.10.11.175#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> OUTDATED.HTB
Server: 10.10.11.175
Address: 10.10.11.175#53
Name: OUTDATED.HTB
Address: 172.16.20.1
Name: OUTDATED.HTB
Address: 10.10.11.175
Name: OUTDATED.HTB
Address: dead:beef::1c7
Name: OUTDATED.HTB
Address: dead:beef::79f8:b95e:decc:a0ad
> dc.outdated.htb
Server: 10.10.11.175
Address: 10.10.11.175#53
Name: dc.outdated.htb
Address: 172.16.20.1
Name: dc.outdated.htb
Address: 10.10.11.175
Name: dc.outdated.htb
Address: dead:beef::79f8:b95e:decc:a0ad
Name: dc.outdated.htb
Address: dead:beef::1c7
> mail.outdated.htb
Server: 10.10.11.175
Address: 10.10.11.175#53
mail.outdated.htb canonical name = dc.outdated.htb.
Name: dc.outdated.htb
Address: 10.10.11.175
Name: dc.outdated.htb
Address: 172.16.20.1
Name: dc.outdated.htb
Address: dead:beef::1c7
Name: dc.outdated.htb
Address: dead:beef::79f8:b95e:decc:a0adReverse lookup provided an interesting insight over the target domain
- The output indicates that the hosts
dc.outdated.htbandmail.outdated.htbshare the same IPv4 address of10.10.11.175. - Both hosts have an associated IPv4 address of
172.16.20.1, suggesting that one of them or both might be hosted in a containerized environment.- While the presence of the internal container IP address is a common occurrence in containerized environments, it’s not clear to identify which host is served from the container at this time
- The Canonical Name (
CNAME) record formail.outdated.htbindicates that it is an alias fordc.outdated.htb. This means that when someone tries to accessmail.outdated.htb, it is redirected todc.outdated.htb. - Furthermore, 2 associated AAAA records have been identified;
dead:beef::79f8:b95e:decc:a0adanddead:beef::1c7
AAAA Records (IPv6)
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ rustscan -a dead:beef::79f8:b95e:decc:a0ad,dead:beef::1c7 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::79f8:b95e:decc:a0ad]:53
open [dead:beef::1c7]:53
open [dead:beef::79f8:b95e:decc:a0ad]:88
open [dead:beef::1c7]:88
open [dead:beef::1c7]:135
open [dead:beef::79f8:b95e:decc:a0ad]:135
open [dead:beef::1c7]:389
open [dead:beef::79f8:b95e:decc:a0ad]:389
open [dead:beef::1c7]:445
open [dead:beef::79f8:b95e:decc:a0ad]:445
open [dead:beef::79f8:b95e:decc:a0ad]:464
open [dead:beef::1c7]:464
open [dead:beef::1c7]:593
open [dead:beef::79f8:b95e:decc:a0ad]:593
open [dead:beef::1c7]:636
open [dead:beef::79f8:b95e:decc:a0ad]:636
open [dead:beef::79f8:b95e:decc:a0ad]:3268
open [dead:beef::1c7]:3268
open [dead:beef::1c7]:3269
open [dead:beef::79f8:b95e:decc:a0ad]:3269
open [dead:beef::79f8:b95e:decc:a0ad]:5985
open [dead:beef::1c7]:5985
open [dead:beef::1c7]:8530
open [dead:beef::79f8:b95e:decc:a0ad]:8531
open [dead:beef::1c7]:8531
open [dead:beef::79f8:b95e:decc:a0ad]:8530
open [dead:beef::79f8:b95e:decc:a0ad]:9389
open [dead:beef::1c7]:9389Those 2 IPv6 addresses appear to provide the same services provided by the IPv4 address Moving on
dig
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ dig any dc.outdated.htb @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> any dc.outdated.htb @10.10.11.175
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20616
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dc.outdated.htb. IN ANY
;; ANSWER SECTION:
dc.outdated.htb. 3600 IN A 10.10.11.175
dc.outdated.htb. 3600 IN A 172.16.20.1
dc.outdated.htb. 3600 IN AAAA dead:beef::1c7
dc.outdated.htb. 3600 IN AAAA dead:beef::79f8:b95e:decc:a0ad
;; Query time: 48 msec
;; SERVER: 10.10.11.175#53(10.10.11.175) (TCP)
;; WHEN: Wed Jan 03 13:35:59 CET 2024
;; MSG SIZE rcvd: 132
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ dig any mail.outdated.htb @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> any mail.outdated.htb @10.10.11.175
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6935
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;mail.outdated.htb. IN ANY
;; ANSWER SECTION:
mail.outdated.htb. 3600 IN CNAME dc.outdated.htb.
;; Query time: 36 msec
;; SERVER: 10.10.11.175#53(10.10.11.175) (TCP)
;; WHEN: Wed Jan 03 13:36:07 CET 2024
;; MSG SIZE rcvd: 63The same result can be seen from dig
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ dnsenum OUTDATED.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --threads 16
dnsenum version:1.2.6
----- outdated.htb -----
host's addresses:
__________________
outdated.htb. 600 IN A 10.10.11.175
outdated.htb. 600 IN A 172.16.20.1
name servers:
______________
dc.outdated.htb. 1200 IN A 10.10.11.175
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: dc.outdated.htb at /usr/bin/dnsenum line 900 thread 1.
Trying Zone Transfer for outdated.htb on dc.outdated.htb ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
mail.outdated.htb. 3600 IN CNAME dc.outdated.htb.
dc.outdated.htb. 1200 IN A 10.10.11.175
client.outdated.htb. 1200 IN A 172.16.20.20
dc.outdated.htb. 1200 IN A 10.10.11.175
gc._msdcs.outdated.htb. 600 IN A 172.16.20.1
gc._msdcs.outdated.htb. 600 IN A 10.10.11.175
wsus.outdated.htb. 3600 IN CNAME dc.outdated.htb.
dc.outdated.htb. 1200 IN A 10.10.11.175
domaindnszones.outdated.htb. 600 IN A 172.16.20.1
domaindnszones.outdated.htb. 600 IN A 10.10.11.175
forestdnszones.outdated.htb. 600 IN A 172.16.20.1
forestdnszones.outdated.htb. 600 IN A 10.10.11.175
outdated.htb class c netranges:
________________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
outdated.htb ip blocks:
________________________
done.dnsenum’s result reveals the following additional information;
- both
mail.outdated.htbandwsus.outdated.htbare aliases (CNAME) to thedc.outdated.htbhost client.outdated.htbappears to be an internal container host;172.16.20.20
It’s interesting that the mail.outdated.htb alias is NOT registered under MX record, but rather an alias(CNAME) to the dc.outdated.htb host