Academy: Attacking Common Services | Attacking DNS

The exercise says: " Find all available DNS records on the target name server and submit the flag found as a DNS record as the answer."

All I got is the IP address of a name server. No domain. So, how can one get the DNS records without providing a domain name?

subbrute fails, at least it’s not clear to me which parameters to provide correctly.

Does anybody have an idea?

1 Like

anyone have problem submit the flag i have found the answer but i get error

If u are still stuck: The domain you should attack is mentioned on the page of the module. I was also stuck before I find it not very intuitive but yeah you got to use that one.

Did you manage to post the flag? It doesn’t accept the flag exposed in the DNS resource records…

Yes that was no problem for me? Do you have any spaces in your flag? Sometimes happens when copying

Hey bro, are you done with it?

I tried fierce with the option --dns-servers but it was not working.

Anyone have any updates? I’m stuck. Not getting any domains. I’m using the subbrute too but only got 1 more domain which is not the flag.

Check out each of the domains you find using subbrute with the tools at hand from this module

I was stuck in the same way. The challenge is 2-step. First, ask the name server (@resolver.txt) for subdomains. Second, dig for the resource records. You can DM me.

I use subbrute for subdomains 1. [echo “targetIP” > ./resolvers.txt] 2. [python subbrute.py inlanefreight.com -s ./names.txt -r ./resolvers.txt ] and than i checked each subdomain listed with dig any @targetip inlanefreight.htb. am i doing anything wrong?

It looks like you’re using the wrong domain. Go for inlanefreight.htb. It’s not so clear from the exercise. The domain inlanefreight.com is a public one, and inlanefreight.htb is the one that the name server knows (local lab domain).

I write here by mistake i use it"inlanefreight.htb"

Anyone can give a hint on how to find the special DNS record? I`ve used subbrute with the correct domain and with the correct resolver, many subdomain appeared but none is the good one.