DNS
Nmap discovered a DNS service on the target port 53
The service running is Simple DNS Plus
Reverse Lookup
──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ nslookup
> server 10.10.10.175
Default server: 10.10.10.175
Address: 10.10.10.175#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> egotistical-bank.local
;; communications error to 10.10.10.175#53: timed out
Server: 10.10.10.175
Address: 10.10.10.175#53
Name: egotistical-bank.local
Address: 10.10.10.175
Name: egotistical-bank.local
Address: dead:beef::d82a:5af8:762a:f639
> sauna.egotistical-bank.local
Server: 10.10.10.175
Address: 10.10.10.175#53
Name: sauna.egotistical-bank.local
Address: 10.10.10.175
Name: sauna.egotistical-bank.local
Address: dead:beef::64df:5bff:4879:1d8b
Name: sauna.egotistical-bank.local
Address: dead:beef::17aWhile reverse lookup isn’t available, nslookup found 3 additional IPv6 addresses;
dead:beef::d82a:5af8:762a:f639dead:beef::64df:5bff:4879:1d8bdead:beef::17a
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ rustscan -a dead:beef::64df:5bff:4879:1d8b -b 20000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::64df:5bff:4879:1d8b]:53
open [dead:beef::64df:5bff:4879:1d8b]:80
open [dead:beef::64df:5bff:4879:1d8b]:88
open [dead:beef::64df:5bff:4879:1d8b]:135
open [dead:beef::64df:5bff:4879:1d8b]:389
open [dead:beef::64df:5bff:4879:1d8b]:445
open [dead:beef::64df:5bff:4879:1d8b]:464
open [dead:beef::64df:5bff:4879:1d8b]:593
open [dead:beef::64df:5bff:4879:1d8b]:3268
open [dead:beef::64df:5bff:4879:1d8b]:3269
open [dead:beef::64df:5bff:4879:1d8b]:5985
open [dead:beef::64df:5bff:4879:1d8b]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ rustscan -a dead:beef::17a -b 20000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::17a]:53
open [dead:beef::17a]:80
open [dead:beef::17a]:88
open [dead:beef::17a]:135
open [dead:beef::17a]:389
open [dead:beef::17a]:445
open [dead:beef::17a]:464
open [dead:beef::17a]:593
open [dead:beef::17a]:3269
open [dead:beef::17a]:3268
open [dead:beef::17a]:5985
open [dead:beef::17a]:9389whiledead:beef::d82a:5af8:762a:f639 is not reachable, the scan result shows that those 2 IPv6 addresses aren’t hosting anything exclusive compared to the IPv4 counter part
dig
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ dig any EGOTISTICAL-BANK.LOCAL @$IP
; <<>> DiG 9.18.10-2-Debian <<>> any EGOTISTICAL-BANK.LOCAL @10.10.10.175
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4127
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;EGOTISTICAL-BANK.LOCAL. IN ANY
;; ANSWER SECTION:
EGOTISTICAL-BANK.LOCAL. 600 IN A 10.10.10.175
EGOTISTICAL-BANK.LOCAL. 3600 IN NS sauna.EGOTISTICAL-BANK.LOCAL.
EGOTISTICAL-BANK.LOCAL. 3600 IN SOA sauna.EGOTISTICAL-BANK.LOCAL. hostmaster.EGOTISTICAL-BANK.LOCAL. 48 900 600 86400 3600
EGOTISTICAL-BANK.LOCAL. 600 IN AAAA dead:beef::d82a:5af8:762a:f639
;; ADDITIONAL SECTION:
sauna.EGOTISTICAL-BANK.LOCAL. 3600 IN A 10.10.10.175
sauna.EGOTISTICAL-BANK.LOCAL. 3600 IN AAAA dead:beef::64df:5bff:4879:1d8b
sauna.EGOTISTICAL-BANK.LOCAL. 3600 IN AAAA dead:beef::17a
;; Query time: 25 msec
;; SERVER: 10.10.10.175#53(10.10.10.175) (TCP)
;; WHEN: Sat Mar 25 16:39:49 CET 2023
;; MSG SIZE rcvd: 234While dig also found those 3 additional IPv6 addresses, it doesn’t find anything new
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ dnsenum EGOTISTICAL-BANK.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum version:1.2.6
----- egotistical-bank.local -----
host's addresses:
__________________
egotistical-bank.local. 600 IN A 10.10.10.175
name servers:
______________
sauna.egotistical-bank.local. 3600 IN A 10.10.10.175
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: sauna.egotistical-bank.local at /usr/bin/dnsenum line 900.
Trying Zone Transfer for egotistical-bank.local on sauna.egotistical-bank.local ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
gc._msdcs.egotistical-bank.local. 600 IN A 10.10.10.175
domaindnszones.egotistical-bank.local. 600 IN A 10.10.10.175
forestdnszones.egotistical-bank.local. 600 IN A 10.10.10.175
egotistical-bank.local class c netranges:
__________________________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
egotistical-bank.local ip blocks:
__________________________________
done.dnsenum hasn’t found anything new
Moving on