DNS
Nmap discovered a DNS server on the target port 53
The running service is Simple DNS Plus
Reverse Lookup
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ nslookup
> server 10.129.37.136
Default server: 10.129.37.136
Address: 10.129.37.136#53
> 127.0.0.1
1.0.0.127.in-addr.arpa name = localhost.
> university.htb
Server: 10.129.37.136
Address: 10.129.37.136#53
Name: university.htb
Address: 192.168.99.1
Name: university.htb
Address: 10.129.37.136
Name: university.htb
Address: dead:beef::3e18:ee7b:7895:ed0e
> dc.university.htb
Server: 10.129.37.136
Address: 10.129.37.136#53
Name: dc.university.htb
Address: 192.168.99.1
Name: dc.university.htb
Address: 10.129.37.136
Name: dc.university.htb
Address: dead:beef::3e18:ee7b:7895:ed0equerying for the domain name returned a private IP address, 192.168.99.1, and a IPv6 address, dead:beef::3e18:ee7b:7895:ed0e
Testing for dc.university.htb returned positive
The /etc/hosts file on Kali has been updated for local DNS resolution
dig
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ dig any UNIVERSITY.HTB @$IP
; <<>> DiG 9.20.2-1-Debian <<>> any UNIVERSITY.HTB @10.129.37.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29574
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;UNIVERSITY.HTB. IN ANY
;; ANSWER SECTION:
UNIVERSITY.HTB. 600 IN A 10.129.37.136
UNIVERSITY.HTB. 600 IN A 192.168.99.1
UNIVERSITY.HTB. 3600 IN NS dc.UNIVERSITY.HTB.
UNIVERSITY.HTB. 3600 IN SOA dc.UNIVERSITY.HTB. hostmaster.UNIVERSITY.HTB. 686 900 600 86400 3600
UNIVERSITY.HTB. 600 IN AAAA dead:beef::3e18:ee7b:7895:ed0e
;; ADDITIONAL SECTION:
dc.UNIVERSITY.HTB. 1200 IN A 10.129.37.136
dc.UNIVERSITY.HTB. 1200 IN A 192.168.99.1
dc.UNIVERSITY.HTB. 1200 IN AAAA dead:beef::3e18:ee7b:7895:ed0e
;; Query time: 19 msec
;; SERVER: 10.129.37.136#53(10.129.37.136) (TCP)
;; WHEN: Sat Oct 26 21:16:23 CEST 2024
;; MSG SIZE rcvd: 227dig also finds the FQDN of the target system, dc.university.htb, along with the internal private IP address and the IPv6 address
dnsenum
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ dnsenum UNIVERSITY.HTB --dnsserver $IP -f /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
dnsenum VERSION:1.3.1
----- university.htb -----
Host's addresses:
__________________
university.htb. 600 IN A 10.129.37.136
university.htb. 600 IN A 192.168.99.1
Name Servers:
______________
dc.university.htb. 1200 IN A 192.168.99.1
dc.university.htb. 1200 IN A 10.129.37.136
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: dc.university.htb at /usr/bin/dnsenum line 892 thread 1.
Trying Zone Transfer for university.htb on dc.university.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt:
__________________________________________________________________________________________________
dc.university.htb. 1200 IN A 10.129.37.136
dc.university.htb. 1200 IN A 192.168.99.1
gc._msdcs.university.htb. 600 IN A 192.168.99.1
gc._msdcs.university.htb. 600 IN A 10.129.37.136
domaindnszones.university.htb. 600 IN A 192.168.99.1
domaindnszones.university.htb. 600 IN A 10.129.37.136
forestdnszones.university.htb. 600 IN A 192.168.99.1
forestdnszones.university.htb. 600 IN A 10.129.37.136
university.htb class C netranges:
__________________________________
Performing reverse lookup on 0 ip addresses:
_____________________________________________
0 results out of 0 IP addresses.
university.htb ip blocks:
__________________________
done.Interestingly both the domain name and FQDN of the target system are configured to have A records It’s likely due to the web server
dnsrecon
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ dnsrecon -d UNIVERSITY.HTB -n $IP -D /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 16
[*] std: Performing General Enumeration against: UNIVERSITY.HTB...
[-] DNSSEC is not configured for UNIVERSITY.HTB
[*] SOA dc.UNIVERSITY.HTB 10.129.37.136
[*] SOA dc.UNIVERSITY.HTB 192.168.99.1
[*] SOA dc.UNIVERSITY.HTB dead:beef::3e18:ee7b:7895:ed0e
[*] NS dc.UNIVERSITY.HTB 10.129.37.136
[*] NS dc.UNIVERSITY.HTB 192.168.99.1
[*] NS dc.UNIVERSITY.HTB dead:beef::3e18:ee7b:7895:ed0e
[*] A UNIVERSITY.HTB 192.168.99.1
[*] A UNIVERSITY.HTB 10.129.37.136
[*] AAAA UNIVERSITY.HTB dead:beef::3e18:ee7b:7895:ed0e
[*] Enumerating SRV Records
[+] SRV _gc._tcp.UNIVERSITY.HTB dc.university.htb 192.168.99.1 3268
[+] SRV _gc._tcp.UNIVERSITY.HTB dc.university.htb 10.129.37.136 3268
[+] SRV _gc._tcp.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 3268
[+] SRV _kerberos._udp.UNIVERSITY.HTB dc.university.htb 10.129.37.136 88
[+] SRV _kerberos._udp.UNIVERSITY.HTB dc.university.htb 192.168.99.1 88
[+] SRV _kerberos._udp.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 88
[+] SRV _kerberos._tcp.UNIVERSITY.HTB dc.university.htb 192.168.99.1 88
[+] SRV _kerberos._tcp.UNIVERSITY.HTB dc.university.htb 10.129.37.136 88
[+] SRV _kerberos._tcp.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 88
[+] SRV _ldap._tcp.UNIVERSITY.HTB dc.university.htb 10.129.37.136 389
[+] SRV _ldap._tcp.UNIVERSITY.HTB dc.university.htb 192.168.99.1 389
[+] SRV _ldap._tcp.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 389
[+] SRV _ldap._tcp.dc._msdcs.UNIVERSITY.HTB dc.university.htb 10.129.37.136 389
[+] SRV _ldap._tcp.dc._msdcs.UNIVERSITY.HTB dc.university.htb 192.168.99.1 389
[+] SRV _ldap._tcp.dc._msdcs.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 389
[+] SRV _ldap._tcp.ForestDNSZones.UNIVERSITY.HTB dc.university.htb 192.168.99.1 389
[+] SRV _ldap._tcp.ForestDNSZones.UNIVERSITY.HTB dc.university.htb 10.129.37.136 389
[+] SRV _ldap._tcp.ForestDNSZones.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 389
[+] SRV _ldap._tcp.pdc._msdcs.UNIVERSITY.HTB dc.university.htb 10.129.37.136 389
[+] SRV _ldap._tcp.pdc._msdcs.UNIVERSITY.HTB dc.university.htb 192.168.99.1 389
[+] SRV _ldap._tcp.pdc._msdcs.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 389
[+] SRV _ldap._tcp.gc._msdcs.UNIVERSITY.HTB dc.university.htb 192.168.99.1 3268
[+] SRV _ldap._tcp.gc._msdcs.UNIVERSITY.HTB dc.university.htb 10.129.37.136 3268
[+] SRV _ldap._tcp.gc._msdcs.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 3268
[+] SRV _kerberos._tcp.dc._msdcs.UNIVERSITY.HTB dc.university.htb 10.129.37.136 88
[+] SRV _kerberos._tcp.dc._msdcs.UNIVERSITY.HTB dc.university.htb 192.168.99.1 88
[+] SRV _kerberos._tcp.dc._msdcs.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 88
[+] SRV _kpasswd._udp.UNIVERSITY.HTB dc.university.htb 192.168.99.1 464
[+] SRV _kpasswd._udp.UNIVERSITY.HTB dc.university.htb 10.129.37.136 464
[+] SRV _kpasswd._udp.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 464
[+] SRV _kpasswd._tcp.UNIVERSITY.HTB dc.university.htb 10.129.37.136 464
[+] SRV _kpasswd._tcp.UNIVERSITY.HTB dc.university.htb 192.168.99.1 464
[+] SRV _kpasswd._tcp.UNIVERSITY.HTB dc.university.htb dead:beef::3e18:ee7b:7895:ed0e 464
[+] 33 Records FoundN/A