Cronos DNS reverse lookup

Working on Cronos and attempting reverse DNS lookup with either nslookup or dig and I can’t get it to work. My thinking is that because the machine is running a DNS server I should be able to send a query directly to it and get some information on the domain name. I’ve had a peek at some walkthroughs that suggests a reverse lookup is possible, but there’s also a few that just ‘guess’ for the next part.

Ideally I don’t want to just ‘guess’ before moving on, because I’d like to take away some lessons on DNS enumeration. Just want to know if it’s a potential configuration issue or a fundamental misunderstanding on my part.

I’m using kali 2020.4 and needed to install dnsutils as nslookup/dig etc were not installed by default.

With nslookup, I’ve tried running in interactive mode, setting the server to the box IP address, and then the host (I think its the host command – the man page is confusing) command on the box IP address. This is something I’ve seen at least one walkthrough do successfully. Consulting the nslookup man page, I saw that for the host command : “If host is an Internet address and the query type is A or PTR, the name of the host is returned.”. so I tried to set that explicitly (though apparently it defaults to A) to no avail. I get the following error: server can’t find XXX.XXX.XXX.XX.in-addr.arpa: NXDOMAIN (Where XX.XXX.XXX.XXX is the IP address of the machine)

With dig, I use the simplified reverse lookup option (-x) supplying the box IP address for both the server and the host address arguments. I’ve seen this used in a walkthrough, but I don’t get the same result.

I’ve seen mention elsewhere the nslookup may be defaulting to using nameservers in my /etc/resolv.conf configuration, and I have tried adding the IP address of the box to this file as well without success.

Not sure where I am going wrong. Any input appreciated.

What happens when you try dig axfr cronos.htb @10.10.10.13

In nslookup, something like

server 10.10.10.13
set q=any
cronos.htb

should work.

That’s a zone tranfer isn’t it?. That would be my next step, but I’m looking for a way to extract the hostname (without just guessing).

@deyzie said:

That’s a zone tranfer isn’t it?. That would be my next step, but I’m looking for a way to extract the hostname (without just guessing).

Ok - its rare you don’t have to guess on HTB, but on this box, what happens when you run

nslookup
server 10.10.10.13
10.10.10.13
?

So when I spawn Cronos I get some IP: AAA.BBB.CCC.DDD. Running the nslookup:

nslookup

server AAA.BBB.CCC.DDD
AAA.BBB.CCC.DDD

I get an NXDOMAIN error similar to the following.

** server can’t find DDD.CCC.BBB.AAA.in-addr.arpa: NXDOMAIN

@deyzie said:

So when I spawn Cronos I get some IP: AAA.BBB.CCC.DDD. Running the nslookup:

nslookup

server AAA.BBB.CCC.DDD
AAA.BBB.CCC.DDD

I get an NXDOMAIN error similar to the following.

** server can’t find DDD.CCC.BBB.AAA.in-addr.arpa: NXDOMAIN

Ah ok - that is strange.

How are you spawning it? Whenever I try I get the 10.10.10.13 one, both in the old and new interfaces.

same here, I finished this box 3 days ago and as @deyzie said I cannot get initial phase to “find” domain which is odd because all write-ups are clear on that phase

server AAA.BBB.CCC.DDD
AAA.BBB.CCC.DDD

I get an NXDOMAIN error similar to the following.

** server can’t find DDD.CCC.BBB.AAA.in-addr.arpa: NXDOMAIN

@TazWake said:
How are you spawning it? Whenever I try I get the 10.10.10.13 one, both in the old and new interfaces.

I’m not sure if it’s has any impact, but when I spawn it via the old and new interfaces its IP address has never been 10.10.10.13.

@nemereth said:
same here, I finished this box 3 days ago and as @deyzie said I cannot get initial phase to “find” domain which is odd because all write-ups are clear on that phase

And as disappointing as it is for both of us, I’m glad it’s not just me haha

Type your comment> @deyzie said:

@TazWake said:
How are you spawning it? Whenever I try I get the 10.10.10.13 one, both in the old and new interfaces.

I’m not sure if it’s has any impact, but when I spawn it via the old and new interfaces its IP address has never been 10.10.10.13.

So, on the machine page, do you get something different to this:

Mine looks the same, when I spawn the IP changes to something else outside of 10.10.10.xxx (not always the same) and I get the reset and terminate controls up in the same area as the “Own User”, “Own Root” buttons etc.

@deyzie said:

Mine looks the same, when I spawn the IP changes to something else outside of 10.10.10.xxx (not always the same) and I get the reset and terminate controls up in the same area as the “Own User”, “Own Root” buttons etc.

OK - I haven’t done this box so I don’t know exactly how it works. I suspect that the different IP is causing the problem with the nslookup but cant confirm it.

I don’t know if there is a solution to this. When I spawned it to test, I got 10.10.10.13 and it responded as expected, with its hostname.