DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ nslookup
> server 10.10.11.129
Default server: 10.10.11.129
Address: 10.10.11.129#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> search.htb
Server: 10.10.11.129
Address: 10.10.11.129#53
Name: search.htb
Address: 10.10.11.129
Name: search.htb
Address: dead:beef::250
> research.search.htb
Server: 10.10.11.129
Address: 10.10.11.129#53
Name: research.search.htb
Address: 10.10.11.129
Name: research.search.htb
Address: dead:beef::7483:bfdd:785f:d63e
Name: research.search.htb
Address: dead:beef::24e3 AAAA (IPv6) records associated with the target domain are revealed;
dead:beef::250dead:beef::7483:bfdd:785f:d63edead:beef::24e
AAAA (IPv6) Records
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ rustscan -a dead:beef::7483:bfdd:785f:d63e -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
please contribute more quotes to our github https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::7483:bfdd:785f:d63e]:53
open [dead:beef::7483:bfdd:785f:d63e]:80
open [dead:beef::7483:bfdd:785f:d63e]:88
open [dead:beef::7483:bfdd:785f:d63e]:135
open [dead:beef::7483:bfdd:785f:d63e]:445
open [dead:beef::7483:bfdd:785f:d63e]:443
open [dead:beef::7483:bfdd:785f:d63e]:464
open [dead:beef::7483:bfdd:785f:d63e]:593
open [dead:beef::7483:bfdd:785f:d63e]:3268
open [dead:beef::7483:bfdd:785f:d63e]:3269
open [dead:beef::7483:bfdd:785f:d63e]:8172
open [dead:beef::7483:bfdd:785f:d63e]:9389
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ rustscan -a dead:beef::24e -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open [dead:beef::24e]:53
open [dead:beef::24e]:80
open [dead:beef::24e]:88
open [dead:beef::24e]:135
open [dead:beef::24e]:443
open [dead:beef::24e]:445
open [dead:beef::24e]:464
open [dead:beef::24e]:593
open [dead:beef::24e]:3269
open [dead:beef::24e]:3268
open [dead:beef::24e]:8172
open [dead:beef::24e]:9389services on both dead:beef::7483:bfdd:785f:d63e and dead:beef::24e hosts are already available on the IPv4 address
dead:beef::250
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ rustscan -a dead:beef::250 -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::250]:53
Open [dead:beef::250]:88
Open [dead:beef::250]:135
Open [dead:beef::250]:389
Open [dead:beef::250]:445
Open [dead:beef::250]:443
Open [dead:beef::250]:464
Open [dead:beef::250]:593
Open [dead:beef::250]:636
Open [dead:beef::250]:1801
Open [dead:beef::250]:2103
Open [dead:beef::250]:2105
Open [dead:beef::250]:2107
Open [dead:beef::250]:2179
Open [dead:beef::250]:3268
Open [dead:beef::250]:3269
Open [dead:beef::250]:3389
Open [dead:beef::250]:6406
Open [dead:beef::250]:6404
Open [dead:beef::250]:6410
Open [dead:beef::250]:6407
Open [dead:beef::250]:6616
Open [dead:beef::250]:6642
Open [dead:beef::250]:9389
Open [dead:beef::250]:19126The dead:beef::250 host, on the other hand, is rather unique that it’s hosting a lot more services that were never seen before
I’ll look more into this
(It turns out HTB has a network issue that allow me to connect to another VM instance. For that reason, I will be disregarding this finding)
dig
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ dig any SEARCH.HTB @$IP
; <<>> DiG 9.19.17-2~kali1-Kali <<>> any SEARCH.HTB @10.10.11.129
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 11582
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;SEARCH.HTB. IN ANY
;; answer section:
SEARCH.HTB. 600 IN A 10.10.11.129
SEARCH.HTB. 3600 IN NS research.SEARCH.HTB.
SEARCH.HTB. 3600 IN SOA research.SEARCH.HTB. hostmaster.SEARCH.HTB. 436 900 600 86400 3600
search.htb. 600 in aaaa dead:beef::250
;; additional section:
research.SEARCH.HTB. 3600 IN A 10.10.11.129
research.search.htb. 3600 in aaaa dead:beef::24e
research.search.htb. 3600 in aaaa dead:beef::7483:bfdd:785f:d63e
;; query time: 28 msec
;; server: 10.10.11.129#53(10.10.11.129) (TCP)
;; when: Mon Jan 29 12:47:37 CET 2024
;; msg size rcvd: 225dig also revealed those 3 AAAA records;
dead:beef::250dead:beef::7483:bfdd:785f:d63edead:beef::24e
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ dnsenum SEARCH.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.2.6
----- search.htb -----
Host's addresses:
__________________
search.htb. 600 IN A 10.10.11.129
Name Servers:
______________
research.search.htb. 3600 IN A 10.10.11.129
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: research.search.htb at /usr/bin/dnsenum line 900 thread 1.
Trying Zone Transfer for search.htb on research.search.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
portal.search.htb. 1200 IN A 10.10.11.11
research.search.htb. 3600 IN A 10.10.11.129
gc._msdcs.search.htb. 600 IN A 10.10.11.129
domaindnszones.search.htb. 600 IN A 10.10.11.129
forestdnszones.search.htb. 600 IN A 10.10.11.129
search.htb class C netranges:
______________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
search.htb ip blocks:
______________________
done.dnsenum finds an additional A record, portal.search.htb, with an IP address of 10.10.11.11
portal.search.htb
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ ping 10.10.11.11 -c 1
PING 10.10.11.11 (10.10.11.11) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=1 Destination Host Unreachable
--- 10.10.11.11 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0msUnable to reach the 10.10.11.11 host
dnsrecon
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ dnsrecon -d SEARCH.HTB -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
[*] std: Performing General Enumeration against: SEARCH.HTB...
[-] DNSSEC is not configured for SEARCH.HTB
[*] SOA research.SEARCH.HTB 10.10.11.129
[*] SOA research.SEARCH.HTB dead:beef::7483:bfdd:785f:d63e
[*] SOA research.SEARCH.HTB dead:beef::24e
[*] NS research.SEARCH.HTB 10.10.11.129
[*] NS research.SEARCH.HTB dead:beef::7483:bfdd:785f:d63e
[*] NS research.SEARCH.HTB dead:beef::24e
[*] A SEARCH.HTB 10.10.11.129
[*] AAAA SEARCH.HTB dead:beef::250
[*] Enumerating SRV Records
[+] SRV _ldap._tcp.SEARCH.HTB research.search.htb 10.10.11.129 389
[+] SRV _ldap._tcp.SEARCH.HTB research.search.htb dead:beef::24e 389
[+] SRV _ldap._tcp.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 389
[+] SRV _kerberos._udp.SEARCH.HTB research.search.htb 10.10.11.129 88
[+] SRV _kerberos._udp.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 88
[+] SRV _kerberos._udp.SEARCH.HTB research.search.htb dead:beef::24e 88
[+] SRV _kerberos._tcp.SEARCH.HTB research.search.htb 10.10.11.129 88
[+] SRV _kerberos._tcp.SEARCH.HTB research.search.htb dead:beef::24e 88
[+] SRV _kerberos._tcp.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 88
[+] SRV _gc._tcp.SEARCH.HTB research.search.htb 10.10.11.129 3268
[+] SRV _gc._tcp.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 3268
[+] SRV _gc._tcp.SEARCH.HTB research.search.htb dead:beef::24e 3268
[+] SRV _ldap._tcp.ForestDNSZones.SEARCH.HTB research.search.htb 10.10.11.129 389
[+] SRV _ldap._tcp.ForestDNSZones.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 389
[+] SRV _ldap._tcp.ForestDNSZones.SEARCH.HTB research.search.htb dead:beef::24e 389
[+] SRV _kpasswd._tcp.SEARCH.HTB research.search.htb 10.10.11.129 464
[+] SRV _kpasswd._tcp.SEARCH.HTB research.search.htb dead:beef::24e 464
[+] SRV _kpasswd._tcp.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 464
[+] SRV _kpasswd._udp.SEARCH.HTB research.search.htb 10.10.11.129 464
[+] SRV _kpasswd._udp.SEARCH.HTB research.search.htb dead:beef::24e 464
[+] SRV _kpasswd._udp.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 464
[+] SRV _ldap._tcp.gc._msdcs.SEARCH.HTB research.search.htb 10.10.11.129 3268
[+] SRV _ldap._tcp.gc._msdcs.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 3268
[+] SRV _ldap._tcp.gc._msdcs.SEARCH.HTB research.search.htb dead:beef::24e 3268
[+] SRV _ldap._tcp.pdc._msdcs.SEARCH.HTB research.search.htb 10.10.11.129 389
[+] SRV _ldap._tcp.pdc._msdcs.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 389
[+] SRV _ldap._tcp.pdc._msdcs.SEARCH.HTB research.search.htb dead:beef::24e 389
[+] SRV _ldap._tcp.dc._msdcs.SEARCH.HTB research.search.htb 10.10.11.129 389
[+] SRV _ldap._tcp.dc._msdcs.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 389
[+] SRV _ldap._tcp.dc._msdcs.SEARCH.HTB research.search.htb dead:beef::24e 389
[+] SRV _kerberos._tcp.dc._msdcs.SEARCH.HTB research.search.htb 10.10.11.129 88
[+] SRV _kerberos._tcp.dc._msdcs.SEARCH.HTB research.search.htb dead:beef::24e 88
[+] SRV _kerberos._tcp.dc._msdcs.SEARCH.HTB research.search.htb dead:beef::7483:bfdd:785f:d63e 88
[+] 33 Records Found