DNS - 53

If there is a DNS server, that means there is a domain, and potentially lots of subdomains. If there is a web application running we might want to fuzz for vhosts and subdomains, if we can read the files, we should read the web config files that contains information about subdomains. First lets use that to get the domain.

dig @10.10.11.166 -x 10.10.11.166

; <<>> DiG 9.20.2-1-Debian <<>> @10.10.11.166 -x 10.10.11.166
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44675
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0029f7b8b1790e221a255dd467a38bad2709a7bc17c0404d (good)
;; QUESTION SECTION:
;166.11.10.10.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
166.11.10.10.in-addr.arpa. 604800 IN    PTR     trick.htb.

;; AUTHORITY SECTION:
11.10.10.in-addr.arpa.  604800  IN      NS      trick.htb.

;; ADDITIONAL SECTION:
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1

;; Query time: 76 msec
;; SERVER: 10.10.11.166#53(10.10.11.166) (UDP)
;; WHEN: Wed Feb 05 10:02:52 CST 2025
;; MSG SIZE  rcvd: 163

trick.htb was a guess based on the boxes name and we see that it resolves.

AXFR

We find an internal subdomain preprod-payroll.trick.htb

This is where I put the domain and subdomain in my /etc/hosts.

Fuzzing Vhosts, nothing there

PreviousSMTP - 25Next80

Last updated