Cronos - HTB
The following are some useful concepts I was able to grasp from tackling the above HTB box.
DNS
DNS (Domain Name System) is like an Internet phonebook. It is responsible for resolving human-readable hostnames into machine-readable IP addresses. DNS servers host zones. A DNS zone is a portion of the domain name space that is served by a DNS server. For example, something.com with all its subdomains may be a zone. However, second.something.com may also be a separate zone.
DNS Enumeration:
Its the most popular reconnaissance tasks there is for building a profile of your target.
Nslookup tool:
root@kali:~# nslookup google.com
Server: 8.8.8.8
Address:8.8.8.8#53
Non-authoritative answer:
Name: google.com
Address: 216.58.223.110
Name: google.com
Address: 2a00:1450:401a:805::200e
Non-authoritative answer simply means the response is from one of my configured nameservers (ISP / my domain).It would come back as non-authoritative because neither my ISP’s nameservers, nor my own are in the list of nameservers for google.com.
Host tool
host -l <domain-name> <dns_server-address>
Dig tool
#fetch A records(the IP address)
dig google.com +short
#mail information
dig google.com -t mx +short
#ns records
dig google.com -t ns +short
using gobuster:
root@kali# gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
Dns Zone transfer
AXFR (Asynchronous Transfer Full Range) Transfer.
root@kali# dig axfr cronos.htb @10.10.10.13
DNSenum
dnsenum --noreverse -o file.xml cronos.htb
Nmap dns-brute
nmap -T4 -p 53 --script dns-brute 10.10.10.13
Sqlmap tool
sqlmap -v 4 -r login.txt
env command:
Provides information on the shell enviroment you are working with.
root@kali# env
Using shared memory: /dev/shm
Bitbucket
/dev/null ---> Also called bit bucket | if you send output to /dev/null it simply disappears.
find -name filename 2> /dev/null | The command directs the stderr to the bit bucket.
cat /dev/null filename | empties the contents of the file.
Unix Permissions:
Point to note:
– DNS server should be configured to only allow zone transfers from trusted IP addresses.
Leave a comment