I struggled with this a lot, my best advice is to run subrute with inlanefreight.com and inlanefreight.htb then enumerate all subdomains found.
To obtain DNS records for a domain, you typically need to know the domain name. However, in this case, it seems that you only have the IP address of the name server and not the domain name.
One option you can try is to use a reverse DNS lookup tool to determine the domain name associated with the IP address of the name server. Once you have the domain name, you can then use a tool like nslookup or dig to query the DNS records for that domain and look for the flag.
If subbrute is not working for you, you may want to try other DNS enumeration tools such as fierce, dnsenum, or dnsmap. These tools can help you discover subdomains associated with the domain and may help you find the flag if it is hidden in one of the subdomains.
Itâs important to note that DNS enumeration can be a sensitive task and should only be performed on systems that you have permission to test. Always ensure that you follow ethical and legal guidelines when conducting any type of security testing.
Regards : combination of two name to make one
1 Like
Timing out every time I do a zone transfer. Will not work using any combinations of axfr. It just times out even though I can ping both the NS and IP address.
1 Like
Great.
1 Like
The module DNS section of
is a huge help. Hours wasted because its not explained properly in this module. Very poor Explanation.
I didnt know you could query the Target IP with the dig command.
i do it , than what next ?
Can you tell me how have you done that?
I am really really stuck
For those who have problems with the zone transfer, use pwnbox instead of editing resolv.conf
i think i have some idea
If you only have the IP address of the name server and no domain, you wonât be able to retrieve DNS records directly. DNS records are associated with specific domains, so you need a domain name to query DNS records for that domain. Without the domain, you wonât have the necessary information to perform a DNS lookup.
Youâll need to obtain the domain name associated with the target name server to proceed with retrieving DNS records. This may require additional information gathering or reconnaissance to identify the domain associated with the IP address you have. Once you have the domain, you can use tools like nslookup or online DNS lookup services to retrieve DNS records for that domain.
I am REALLY stuck on this, I can find the âdecoyâ flag, and have done every thing in the module related to DNS enumeration and I still cant seem to find the real flag. Any Help Would Be Greatly Appreciated.
I have ran Subbrute- with the updated resolver.txt file.
Nslookup- keeps giving errors
Dig AXFR cant find the address.
Fierce - cant
Provably something super simple but I am stomped atm.
thanks guys/ girls
B.
yes, where can/ how can I find the correct flag?
Please check my post from Nov 22.
So,
- add ip and domain to /etc/hosts.
- use subbrute to find a specific subdomain. Be careful to use against inlanfreight.htb and not .com.
- use dig axfr agasint the subdomain you found.
2 Likes
Ok ill try that. I was like âis it .com or .htb? When I use .htb I get a response .com I get not response, but subbrute hasnât worked with .htbâ Thanks for the clue
Yeah I feel dumb. I got it. 
I love you⌠i am a big dumb dumb
Bro I am not still getting with htb it through some error
Thank you i go the Flag now