I was very stuck on this section, so maybe this writeup can help to unstuck someone else! No answers tho, sorry! Just my sus explanation that may or may not be accurate lol gl king
Questions
Submit the FQDN of the nameserver for the “inlanefreight.htb” domain as the answer
Ok, Let’s get started by looking at what we have access to.
Opening The IP In The Browser, we have the apache setup page. Nothing interesting there! Let’s pop the ip & subdomain into etc/hosts
sudo nano /etc/hosts
10.129.XX.XX inlanefreight.htb
save & exitFirst Order Of Business: nslookup
nslookup -type=NS inlanefreight.htb
Server: 1.1.1.1
Address: 1.1.1.1#53
** server can't find inlanefreight.htb: NXDOMAIN
NS Lookup isn’t finding anything on its own, even with the ip address in our /etc/hosts. The DNS server at IP address 1.1.1.1 tried to look up records for inlanefreight.htb, but was unable to because the domain does not exist in the DNS system. The response “NXDOMAIN” means that the DNS server could not find any information about the domain. We have to try digging for results
dig NS inlanefreight.htb @10.129.XX.XXX
; <<>> DiG 9.16.33-Debian <<>> NS inlanefreight.htb @10.129.XX.XXX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3673
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2d707ab5d0f9db6d010000006440345d06eecabb4bbbc826 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN NS
;; ANSWER SECTION:
inlanefreight.htb. 604800 IN NS XXXX.inlanefreight.htb.
;; ADDITIONAL SECTION:
XXXX.inlanefreight.htb. 604800 IN A 127.0.0.1
We’re basically asking the domain server at 10.129.XX.XXX for nameserver records for inlanefreight.htb. The DNS may or may not have these records, and will return a list of records with the domain inlanefreight.htb that are configured on the DNS server with IP address 10.129.XX.XXX
Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.
ok so what is a zone and why am I shaking and crying? I think what they’re really asking for here is the number of zones that show up when we use nslookup. Let’s start by chucking that nameserver we just found into our etc/hosts
A zone is a chunk of the internet that’s managed by a specific server. Each zone is responsible for a particular domain and has information about the website’s domain name, IP address, and other information. When we use nslookup, we’re asking the DNS to give us the records they have about the domain name or ip address we specified. When the DNS comes back, we can just count how many records there are, because that is the number of zones that the system knows about.
Since The DNS Still doesn’t have records of inlanefreight.htb, you’re going to have to specify both the domain & the nameserber when you search
nslookup -type=ns inlanefreight.htb 10.129.XX.XXX <- Check that it works because if it dont u gotta check ur etc hosts lolnslookup -type=ns -ls XXXX.inlanefreight.htb 10.129.XX.XXX <- Check that it works because if it dont u gotta check ur etc hosts lol
nslookup -type=any -query=AXFR inlanefreight.htb XXXX.inlanefreight.htbthe last command outputs us with a ton of subdomains. A subdomain could or could not be a zone, so we have to manually check the zones, because the direct commands are blocked(SOA, etc). You’re going to have to manually sift through all these subdomains to find zones. Let’s make that process a bit easier by cleaning up our output.
nslookup -type=any -query=AXFR inlanefreight.htb XXXX.inlanefreight.htb | grep "Name" > rawsubdomains.txt
sed 's/Name://g' rawsubdomains.txt > subdomains.txtIt’s not pretty but we am hard man
plug it in, hard man!! Eventually you’ll find zones!!! Hooray!! This shows that we have X amount of zones in the server!
Find and submit the contents of the TXT record as the answer.
nslookup -query=axfr XXXXXXXX.inlanefreight.htb XXXX.inlanefreight.htbIn this output you’ll find a very cool flag amongst other things 🙂
Which IP address is assigned to the “us.inlanefreight.htb” subdomain. Submit the IP address as the answer.
Remember to update /etc/hosts file as u go! For this question, nslookup wasn’t working, so I switched to digging with the same zone query flags as with nslookup! Submit the number of all “A” records from all zones as the answer.
Remember to use all the zones you found!
Leave a Reply