DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ nslookup
> server 10.10.11.168
Default server: 10.10.11.168
Address: 10.10.11.168#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> dc1.scrm.local
Server: 10.10.11.168
Address: 10.10.11.168#53
Name: dc1.scrm.local
Address: 10.10.11.168
Name: dc1.scrm.local
Address: dead:beef::20f6:93ed:1dea:420a
Name: dc1.scrm.local
Address: dead:beef::242
> scrm.local
Server: 10.10.11.168
Address: 10.10.11.168#53
Name: scrm.local
Address: 10.10.11.168
Name: scrm.local
Address: dead:beef::242
Name: scrm.local
Address: dead:beef::20f6:93ed:1dea:420aReverse lookup with nslookup for the domain returned 2 additional IPv6 addresses;
dead:beef::20f6:93ed:1dea:420adead:beef::242
IPv6
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ rustscan -a dead:beef::20f6:93ed:1dea:420a -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::20f6:93ed:1dea:420a]:53
open [dead:beef::20f6:93ed:1dea:420a]:80
open [dead:beef::20f6:93ed:1dea:420a]:88
open [dead:beef::20f6:93ed:1dea:420a]:135
open [dead:beef::20f6:93ed:1dea:420a]:389
open [dead:beef::20f6:93ed:1dea:420a]:445
open [dead:beef::20f6:93ed:1dea:420a]:464
open [dead:beef::20f6:93ed:1dea:420a]:593
open [dead:beef::20f6:93ed:1dea:420a]:636
open [dead:beef::20f6:93ed:1dea:420a]:1433
open [dead:beef::20f6:93ed:1dea:420a]:3268
open [dead:beef::20f6:93ed:1dea:420a]:3269
open [dead:beef::20f6:93ed:1dea:420a]:5985
open [dead:beef::20f6:93ed:1dea:420a]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ rustscan -a dead:beef::242 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::242]:53
open [dead:beef::242]:80
open [dead:beef::242]:88
open [dead:beef::242]:135
open [dead:beef::242]:389
open [dead:beef::242]:445
open [dead:beef::242]:464
open [dead:beef::242]:593
open [dead:beef::242]:636
open [dead:beef::242]:1433
open [dead:beef::242]:3269
open [dead:beef::242]:3268
open [dead:beef::242]:5985
open [dead:beef::242]:9389No additional service found
dig
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ dig any SCRM.LOCAL @$IP
; <<>> DiG 9.19.17-1-Debian <<>> any SCRM.LOCAL @10.10.11.168
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 420
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;SCRM.LOCAL. IN ANY
;; ANSWER SECTION:
SCRM.LOCAL. 600 IN A 10.10.11.168
SCRM.LOCAL. 3600 IN NS dc1.SCRM.LOCAL.
SCRM.LOCAL. 3600 IN SOA dc1.SCRM.LOCAL. hostmaster.SCRM.LOCAL. 153 900 600 86400 3600
SCRM.LOCAL. 600 IN AAAA dead:beef::20f6:93ed:1dea:420a
SCRM.LOCAL. 600 IN AAAA dead:beef::242
;; ADDITIONAL SECTION:
dc1.SCRM.LOCAL. 3600 IN A 10.10.11.168
dc1.SCRM.LOCAL. 3600 IN AAAA dead:beef::20f6:93ed:1dea:420a
dc1.SCRM.LOCAL. 3600 IN AAAA dead:beef::242
;; Query time: 172 msec
;; SERVER: 10.10.11.168#53(10.10.11.168) (TCP)
;; WHEN: Fri Nov 17 20:19:03 CET 2023
;; MSG SIZE rcvd: 248dig also returns those 2 AAAA records
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ dnsenum SCRM.LOCAL --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
dnsenum version:1.2.6
----- scrm.local -----
host's addresses:
__________________
scrm.local. 600 IN A 10.10.11.168
name servers:
______________
dc1.scrm.local. 3600 IN A 10.10.11.168
mail (mx) servers:
___________________
trying zone transfers and getting bind versions:
_________________________________________________
unresolvable name: dc1.scrm.local at /usr/bin/dnsenum line 900.
Trying Zone Transfer for scrm.local on dc1.scrm.local ...
axfr record query failed: no nameservers
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt:
________________________________________________________________________________________________
gc._msdcs.scrm.local. 600 IN A 10.10.11.168
domaindnszones.scrm.local. 600 IN A 10.10.11.168
forestdnszones.scrm.local. 600 IN A 10.10.11.168
dc1.scrm.local. 3600 IN A 10.10.11.168
scrm.local class c netranges:
______________________________
performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
scrm.local ip blocks:
______________________
done.