Academy: Attacking Common Services | Attacking DNS

The exercise says: " Find all available DNS records on the target name server and submit the flag found as a DNS record as the answer."

All I got is the IP address of a name server. No domain. So, how can one get the DNS records without providing a domain name?

subbrute fails, at least it’s not clear to me which parameters to provide correctly.

Does anybody have an idea?

1 Like

anyone have problem submit the flag i have found the answer but i get error

If u are still stuck: The domain you should attack is mentioned on the page of the module. I was also stuck before I find it not very intuitive but yeah you got to use that one.

Did you manage to post the flag? It doesn’t accept the flag exposed in the DNS resource records…

Yes that was no problem for me? Do you have any spaces in your flag? Sometimes happens when copying

Hey bro, are you done with it?

I tried fierce with the option --dns-servers but it was not working.

Anyone have any updates? I’m stuck. Not getting any domains. I’m using the subbrute too but only got 1 more domain which is not the flag.

Check out each of the domains you find using subbrute with the tools at hand from this module

I was stuck in the same way. The challenge is 2-step. First, ask the name server (@resolver.txt) for subdomains. Second, dig for the resource records. You can DM me.

I use subbrute for subdomains 1. [echo “targetIP” > ./resolvers.txt] 2. [python -s ./names.txt -r ./resolvers.txt ] and than i checked each subdomain listed with dig any @targetip inlanefreight.htb. am i doing anything wrong?

It looks like you’re using the wrong domain. Go for inlanefreight.htb. It’s not so clear from the exercise. The domain is a public one, and inlanefreight.htb is the one that the name server knows (local lab domain).

I write here by mistake i use it"inlanefreight.htb"

Anyone can give a hint on how to find the special DNS record? I`ve used subbrute with the correct domain and with the correct resolver, many subdomain appeared but none is the good one.

Whenever I try to add the nameserver in resolvers it says ‘No nameservers found, trying fallback list’ Anyone else seen this error? Fixed it. But still am not able to produce the flag.

use ns1…etc ns means nameserver. took me 2days and this forum to figure that out.

I’m using ns1 as the dns server, updated the resolution for it in /etc/hosts. I’m coming up with a few subdomains before subbrute crashes. I’m running a dig on all of the subdomains it finds and I’m not seeing anything that looks like a flag. Where am I going wrong?

lol disregard, got it. make sure you guys check your zone transfers. for everything. :wink:

My tip is “hr”.


Okay, finally i finished this one. This mod is all messed up or I could be a bad reader.
BIG HINT: USE THE DIG axfrzone transfer within the module…

The command did not work for me but use their output. You are welcome. O-MG

You right, thanks for the hint… Could not find the HINT in my output so I just used the output in the mod.

1 Like