Active Subdomain Enumeration - HTB Academy

Hey, I’ve finally gotten myself completely stuck for a day or so and am in need of assistance. The question is right after a section about DNS zone transfers, and is “Submit the FQDN of the nameserver for the “inlanefreight.htb” domain as the answer”
so far I have tried the following (with a variety of parameters and nameservers 1.1.1.1, 8.8.8.8 etc.):

• host inlanefreight.htb

Host inlanefreight.htb not found: 2(SERVFAIL)

• host

Host 158.72.129.10.in-addr.arpa. not found: 3(NXDOMAIN)

• nslookup inlanefreight.htb

** server can’t find inlanefreight.htb: SERVFAIL

• dig inlanefreight.htb

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23602
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;inlanefreight.htb. IN A
;; AUTHORITY SECTION:
. 5 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022010801 1800 900 >>>604800 86400
;; Query time: 56 msec
;; SERVER: 192.168.207.2#53(192.168.207.2)
;; WHEN: Sun Jan 09 13:11:06 AEDT 2022
;; MSG SIZE rcvd: 121

At this point I suspected the host being down, however I can successfully connect via firefox with the IP (get an apache2 default page) and the url (which I added to the /etc/hosts file) - though with the url I get a flag appear in firefox - a little wierd. I get a response when pinging both the IP and url too.

I also tried gobuster DNS enumeration and some basic service enumeration to explore for any other vectors, but didn’t find anything of note.

Please, any help would be greatly appreciated!!

EDIT: I needed to use the host IP as the source NS IP because it kept failing to find the record on my local DNS, or any public DNS’s because it isn’t publically facing. Hint: dig any targeturl @ns/IP

Try to add given IP in the end

Yep, that was the trick. Thanks!

If You manage to move forward in this section text me please)

Feel free to PM if anyone else gets stuck for some more hints.

Any chance you can help me out with this one? I can’t seem to get anywhere on it…

I can’t completely remember the details, but I think it threw me off because the name server is the same IP as the domain(s). In order to perform a zone transfer on it, use the generated IP address for both the domain and the name server. I’m no expert and I’m working off memory though so take it with a grain of salt haha

I get errors if I try that… it is clearly trying to use my DNS server as the server which I think is my problem. But if I manually set it to anything else I also get an error where it says it can’t resolve the name…

Ok, I’ve gone back and re-done it.

Firstly, make the /etc/hosts to add inlanefreight.htb
Secondly, find the name server (dig ns inlanefreight.htb @[IP ADDRESS GENERATED]
Third, add the name server to your /etc/hosts file so it can be resolved (i assume the host is using some sort of vhost routing)
Finally, perform zone transfer (dig axfr [domain] @[name server])

One other thing I just found out. At least in my case… I cannot get this to work properly at all from my own machine connected with a VPN. I get something along these lines ** Connection to 10.129.42.195#53(10.129.42.195) for inlanefreight.htb failed: connection re
fused.**. However, if I use the pwnbox I can get the commands to work.

This might be a stupid question, but how do you resolve an IP address to an FQDN in Linux CLI?

follow what jecpr636 said. Just don’t forget to add it to the /etc/hosts file before you start.

Hello, can someone help im stuck in this section. Thank you

I’ve already added the domain to the /etc/hosts with the given ip.
did the dig ns inlanefreight.htb @given_ip to find the Name Server and its ns.inlanefreight.htb.
added that to the /etc/hosts and then did the dig axfr inlanefreight.htb @ns.inlanefreight.htb.
Answered the first two questions where the name server is that one and the number of zones is 2. but then i cant find the TXT record and how to find out the FQDN of the Ips’s in the other answers.
thak you

The TXT record belongs to one of the sub domains. Ask the nameserver for resource records for each sub domain.

Zone Transfer
dig axfr inlanefreight.htb @ >dns.txt

(Write small bash script to clear dns.txt to hold only domain names)
Loop through all the records found in above command

cat dns.txt | while read i; do dig axfr $i @10.129.247.129; echo $i; done > enumerated.txt

you will be able to find required result in enumerated.txt

Bro, please i really need to understand clearly the notion of zone transfer…

i understood it as … inlanefreight.htb is a zone once it has subdomains or a subdomain like internal.inlanefreight.htb is also a zone once it also has it’s owns subdomains ns.internal.inlanefreight.htb.

so frustrated with this module not understanding nothing

Yeah, you can make subdomains of subdomains. And making a subdomain a zone exchange to give you their subdomains.

You have to be patient, where are you stuck?