DNS
Nmap discovered a DNS server running on the target port 53
The service running is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ nslookup
> server 10.10.11.108
Default server: 10.10.11.108
Address: 10.10.11.108#53
> 127.0.0.1
;; communications error to 10.10.11.108#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> return.local
;; communications error to 10.10.11.108#53: timed out
Server: 10.10.11.108
Address: 10.10.11.108#53
Name: return.local
Address: 10.10.11.108
Name: return.local
Address: dead:beef::1a2
Name: return.local
Address: dead:beef::3ca0:8079:2c38:f2ac
> printer.return.local
;; communications error to 10.10.11.108#53: timed out
Server: 10.10.11.108
Address: 10.10.11.108#53
Name: printer.return.local
Address: 10.10.11.108
Name: printer.return.local
Address: dead:beef::1a2
Name: printer.return.local
Address: dead:beef::3ca0:8079:2c38:f2acWhile reverse lookup failed to resolve the loopback address, I found 2 additional IPv6 addresses associated with both the domain and target host
dead:beef::1a2dead:beef::3ca0:8079:2c38:f2ac
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ rustscan -a dead:beef::1a2 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::1a2]:53
open [dead:beef::1a2]:80
open [dead:beef::1a2]:88
open [dead:beef::1a2]:135
open [dead:beef::1a2]:389
open [dead:beef::1a2]:445
open [dead:beef::1a2]:464
open [dead:beef::1a2]:593
open [dead:beef::1a2]:3268
open [dead:beef::1a2]:3269
open [dead:beef::1a2]:5985
open [dead:beef::1a2]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ rustscan -a dead:beef::3ca0:8079:2c38:f2ac -b 20000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
0day was here ♥
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::3ca0:8079:2c38:f2ac]:53
open [dead:beef::3ca0:8079:2c38:f2ac]:80
open [dead:beef::3ca0:8079:2c38:f2ac]:88
open [dead:beef::3ca0:8079:2c38:f2ac]:135
open [dead:beef::3ca0:8079:2c38:f2ac]:389
open [dead:beef::3ca0:8079:2c38:f2ac]:445
open [dead:beef::3ca0:8079:2c38:f2ac]:464
open [dead:beef::3ca0:8079:2c38:f2ac]:593
open [dead:beef::3ca0:8079:2c38:f2ac]:3268
open [dead:beef::3ca0:8079:2c38:f2ac]:5985
open [dead:beef::3ca0:8079:2c38:f2ac]:9389Those 2 IPv6 addresses don’t seem to have anything exclusive going on compared to the IPv4 counter part Moving on
dig
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ dig any RETURN.LOCAL @$IP
; <<>> DiG 9.18.10-2-Debian <<>> any RETURN.LOCAL @10.10.11.108
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55154
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 79a772648c56cafc (echoed)
;; QUESTION SECTION:
;RETURN.LOCAL. IN ANY
;; ANSWER SECTION:
RETURN.LOCAL. 600 IN A 10.10.11.108
RETURN.LOCAL. 3600 IN NS printer.RETURN.LOCAL.
RETURN.LOCAL. 3600 IN SOA printer.RETURN.LOCAL. hostmaster.RETURN.LOCAL. 120 900 600 86400 3600
RETURN.LOCAL. 600 IN AAAA dead:beef::3ca0:8079:2c38:f2ac
RETURN.LOCAL. 600 IN AAAA dead:beef::1a2
;; ADDITIONAL SECTION:
printer.RETURN.LOCAL. 3600 IN A 10.10.11.108
printer.RETURN.LOCAL. 3600 IN AAAA dead:beef::3ca0:8079:2c38:f2ac
printer.RETURN.LOCAL. 3600 IN AAAA dead:beef::1a2
;; Query time: 27 msec
;; SERVER: 10.10.11.108#53(10.10.11.108) (TCP)
;; WHEN: Thu Mar 23 09:46:02 CET 2023
;; MSG SIZE rcvd: 266The same result with dig
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ dnsenum RETURN.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum version:1.2.6
----- return.local -----
host's addresses:
__________________
return.local. 600 IN A 10.10.11.108
name servers:
______________
printer.return.local. 3600 IN A 10.10.11.108
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: printer.return.local at /usr/bin/dnsenum line 900.
Trying Zone Transfer for return.local on printer.return.local ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
gc._msdcs.return.local. 600 IN A 10.10.11.108
domaindnszones.return.local. 600 IN A 10.10.11.108
forestdnszones.return.local. 600 IN A 10.10.11.108
printer.return.local. 3600 IN A 10.10.11.108
return.local class c netranges:
________________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
return.local ip blocks:
________________________
done.Nothing new found.