Sofblocks

Sofblocks

Cyber Security & Sys Admin.

Cronos - HTB

1 minute read

The following are some useful concepts I was able to grasp from tackling the above HTB box.

DNS

DNS (Domain Name System) is like an Internet phonebook. It is responsible for resolving human-readable hostnames into machine-readable IP addresses. DNS servers host zones. A DNS zone is a portion of the domain name space that is served by a DNS server. For example, something.com with all its subdomains may be a zone. However, second.something.com may also be a separate zone.

upload-image

DNS Enumeration:

Its the most popular reconnaissance tasks there is for building a profile of your target.

Nslookup tool:


root@kali:~# nslookup google.com
Server:	8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.223.110
Name:	google.com
Address: 2a00:1450:401a:805::200e

Non-authoritative answer simply means the response is from one of my configured nameservers (ISP / my domain).It would come back as non-authoritative because neither my ISP’s nameservers, nor my own are in the list of nameservers for google.com.

Host tool

host -l <domain-name> <dns_server-address>

Dig tool

#fetch A records(the IP address)
dig google.com +short
#mail information
dig google.com -t mx +short
#ns records
dig google.com -t ns +short

using gobuster:

root@kali# gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

Dns Zone transfer

AXFR (Asynchronous Transfer Full Range) Transfer.

root@kali# dig axfr cronos.htb @10.10.10.13

DNSenum

dnsenum --noreverse -o file.xml cronos.htb

Nmap dns-brute

nmap -T4 -p 53 --script dns-brute 10.10.10.13

Sqlmap tool

    sqlmap -v 4 -r login.txt

env command:

Provides information on the shell enviroment you are working with.

root@kali# env

Using shared memory: /dev/shm

Bitbucket


/dev/null   ---> Also called bit bucket | if you send output to /dev/null it simply disappears.
find -name filename 2> /dev/null   | The command directs the stderr to the bit bucket.

cat /dev/null filename    | empties the contents of the file.

Unix Permissions:

upload-image

Point to note:

– DNS server should be configured to only allow zone transfers from trusted IP addresses.

Leave a comment

You may also enjoy

Azure Attack Paths Management

14 minute read

Posted:

Every object in azure (users, service principals, device, apps) combines to form attack paths that adversaries can find and exploit and take over your whole ...

Azure Cloud Pentesting

13 minute read

Posted:

The rise of cloud computing has seen many companies shifting their attention to adopting cloud services such as storage, network, database, and software appl...

Azure AD Single Sign On (SSO) - Sophos Firewall

5 minute read

Posted:

Single sign-on (SSO) is a technology which combines several different application login screens into one regardless of the domain, platform, or technology th...

Azure Powershell

6 minute read

Posted:

PowerShell is a command-based shell and scripting language used for task automation and as a configuration framework tool. PowerShell runs on Windows, Linux,...