InfoSec LAB

Timelapse_DNS

Created: 4 min read

DNS

Nmap discovered a DNS server on the target port 53 The running service is Simple DNS Plus

Reverse Lookup

┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ nslookup
> server dc01.timelapse.htb
Default server: dc01.timelapse.htb
Address: 10.10.11.152#53
> 127.0.0.1
;; communications error to 10.10.11.152#53: timed out
1.0.0.127.in-addr.arpa	name = localhost.
> timelapse.htb
;; communications error to 10.10.11.152#53: timed out
Server:		dc01.timelapse.htb
Address:	10.10.11.152#53
 
Name:	timelapse.htb
Address: 10.10.11.152
Name:	timelapse.htb
Address: dead:beef::cc93:dbe2:8401:964
Name:	timelapse.htb
Address: dead:beef::245
Name:	timelapse.htb
Address: dead:beef::24e
Name:	timelapse.htb
Address: dead:beef::b5c6:f9aa:a6a6:3e26
> dc01.timelapse.htb
;; communications error to 10.10.11.152#53: timed out
Server:		dc01.timelapse.htb
Address:	10.10.11.152#53
 
Name:	dc01.timelapse.htb
Address: 10.10.11.152
Name:	dc01.timelapse.htb
Address: dead:beef::245
Name:	dc01.timelapse.htb
Address: dead:beef::cc93:dbe2:8401:964

There are a few IPv6 addresses associated with the domain and the target system

dig

┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ dig any TIMELAPSE.HTB @$IP 
 
; <<>> DiG 9.18.16-1-Debian <<>> any TIMELAPSE.HTB @10.10.11.152
;; global options: +cmd
;; got answer:
;; ->>header<<- opcode: QUERY, status: NOERROR, id: 34940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 4
 
;; opt pseudosection:
; edns: version: 0, flags:; udp: 4000
;; question section:
;TIMELAPSE.HTB.			IN	ANY
 
;; answer section:
TIMELAPSE.HTB.		600	IN	A	10.10.11.152
TIMELAPSE.HTB.		3600	IN	NS	dc01.TIMELAPSE.HTB.
TIMELAPSE.HTB.		3600	IN	SOA	dc01.TIMELAPSE.HTB. hostmaster.TIMELAPSE.HTB. 152 900 600 86400 3600
timelapse.htb.		600	in	aaaa	dead:beef::245
timelapse.htb.		600	in	aaaa	dead:beef::24e
timelapse.htb.		600	in	aaaa	dead:beef::b5c6:f9aa:a6a6:3e26
timelapse.htb.		600	in	aaaa	dead:beef::cc93:dbe2:8401:964
 
;; additional section:
dc01.TIMELAPSE.HTB.	3600	IN	A	10.10.11.152
dc01.timelapse.htb.	3600	in	aaaa	dead:beef::245
dc01.timelapse.htb.	3600	in	aaaa	dead:beef::cc93:dbe2:8401:964
 
;; query time: 195 msec
;; server: 10.10.11.152#53(10.10.11.152) (TCP)
;; when: Tue Oct 24 17:07:03 CEST 2023
;; msg size  rcvd: 308

dig returned 4 AAAA records. Those are the same IPv6 address found during the reverse lookup

  • dead:beef::245
  • dead:beef::24e
  • dead:beef::b5c6:f9aa:a6a6:3e26
  • dead:beef::cc93:dbe2:8401:964

IPv6

┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ rustscan -a dead:beef::24e -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
 
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ rustscan -a dead:beef::b5c6:f9aa:a6a6:3e26 -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ rustscan -a dead:beef::cc93:dbe2:8401:964 -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::cc93:dbe2:8401:964]:88
Open [dead:beef::cc93:dbe2:8401:964]:53
Open [dead:beef::cc93:dbe2:8401:964]:135
Open [dead:beef::cc93:dbe2:8401:964]:389
Open [dead:beef::cc93:dbe2:8401:964]:445
Open [dead:beef::cc93:dbe2:8401:964]:464
Open [dead:beef::cc93:dbe2:8401:964]:593
Open [dead:beef::cc93:dbe2:8401:964]:636
Open [dead:beef::cc93:dbe2:8401:964]:3269
Open [dead:beef::cc93:dbe2:8401:964]:3268
Open [dead:beef::cc93:dbe2:8401:964]:5986
Open [dead:beef::cc93:dbe2:8401:964]:9389
 
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ rustscan -a dead:beef::245 -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open [dead:beef::245]:53
Open [dead:beef::245]:88
Open [dead:beef::245]:135
Open [dead:beef::245]:389
Open [dead:beef::245]:464
Open [dead:beef::245]:445
Open [dead:beef::245]:593
Open [dead:beef::245]:636
Open [dead:beef::245]:5986
Open [dead:beef::245]:9389
  • dead:beef::24e: Unreachable. Possible internal NIC
  • dead:beef::b5c6:f9aa:a6a6:3e26: Unreachable. Possible internal NIC
  • dead:beef::cc93:dbe2:8401:964: No additional service found
  • dead:beef::245: No additional service found

dnsenum

┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ dnsenum TIMELAPSE.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt 
dnsenum version:1.2.6
 
-----   timelapse.htb   -----
 
 
host's addresses:
__________________
 
timelapse.htb.                           600      IN    A        10.10.11.152
 
 
name servers:
______________
 
dc01.timelapse.htb.                      3600     IN    A        10.10.11.152
 
 
mail (mx) servers:
___________________
 
 
 
trying zone transfers and getting bind versions:
_________________________________________________
 
unresolvable name: dc01.timelapse.htb at /usr/bin/dnsenum line 900.
 
Trying Zone Transfer for timelapse.htb on dc01.timelapse.htb ... 
axfr record query failed: no nameservers
 
 
brute forcing with /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-20000.txt:
_________________________________________________________________________________________________
 
gc._msdcs.timelapse.htb.                 600      IN    A        10.10.11.152
domaindnszones.timelapse.htb.            600      IN    A        172.16.25.152
domaindnszones.timelapse.htb.            600      IN    A        10.10.11.152
forestdnszones.timelapse.htb.            600      IN    A        10.10.11.152
   
 
timelapse.htb class c netranges:
_________________________________
 
 
 
performing reverse lookup on 0 ip addresses:
_____________________________________________
 
 
0 results out of 0 IP addresses.
 
 
timelapse.htb ip blocks:
_________________________
 
 
done.

Nothing found

Interactive Graph View

Backlinks