Enumerate 'box.htb' or assume?

rdre8 · June 29, 2022, 7:45am

Hi All

For a box named Box, if I find box.htb through enumeration then I’ll access that server.

Some users appears to assume the existence of box.htb without first finding it. For example trick.htb.

In the case of a box with open 80, do HTB intend that we assume the possibility of a box.htb as part of correct solution practice, or should we only try that server after first finding it through enumeration?

Nevuer · June 29, 2022, 8:23am

According to my experience, most of the time when you have to use a domain name (ending in .htb) it is because either it is being shown i the web’s source code or in the text of the website.

In other case like the Trick machine it is necessary to known that it exists because the machine has a DNS server, and a DNS server needs a main domain for their configuration.

In short, there will always be something that gives you a clue that a domain exists.

rdre8 · June 29, 2022, 8:32am

Thanks NeverHackMe. I agree with your first paragraph, enumerate it then use it.

For Trick, yes, open 53 indicates a domain. But why trick.htb and not cheesyonion.xyz? HTB seem to be asking that we ASSUME trick.htb!

manuel78 · June 29, 2022, 8:33am

It’s usually in the format of machine-name.htb

manuel78 · June 29, 2022, 8:37am

Would also like to add like @Nevuer me said trick machine has a DNS so it needs a domain name which can be found through DNS enumeration and sometimes nmap will tell you aslo, and with sites that use WordPress also have the machine-name.htb format because the way WordPress is setup. With some sites you can find it by looking at the source code or hovering over links on the page and seeing if it uses a name.htb or if it just uses the IP address for the links.

tec · June 29, 2022, 8:42am

i usually assume the domain name is machine-name.htb, unless explicite domain name is given. this is the start point for vhost/subdomain enumeration.
For machines exposing DNS service (like trick), the domain name can be retrieved.

$ dig -x $host_ip @$host_ip
; <<>> DiG 9.16.1-Ubuntu <<>> -x 10.10.11.166 @10.10.11.166
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44382
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 287c1136dc4f5ff93ea68f8b62bc0e95de580cf80b5aecdd (good)
;; QUESTION SECTION:
;166.11.10.10.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
166.11.10.10.in-addr.arpa. 604800 IN    PTR     trick.htb.

;; AUTHORITY SECTION:
11.10.10.in-addr.arpa.  604800  IN      NS      trick.htb.

;; ADDITIONAL SECTION:
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1

;; Query time: 103 msec
;; SERVER: 10.10.11.166#53(10.10.11.166)
;; WHEN: Wed Jun 29 08:34:29 UTC 2022
;; MSG SIZE  rcvd: 163

rdre8 · June 29, 2022, 8:44am

Tec, that is brilliant, you have answered by query. Fantastic use of the dig command, well done.

Nevuer · June 29, 2022, 8:44am

This is a good tip

rdre8 · June 29, 2022, 8:45am

Yes it is, with real world application where .htb etc is not known.

tec · June 29, 2022, 8:45am

found in

rdre8 · June 29, 2022, 8:47am

Tec, you’ve made my week