Enumerate 'box.htb' or assume?

Hi All

For a box named Box, if I find box.htb through enumeration then I’ll access that server.

Some users appears to assume the existence of box.htb without first finding it. For example trick.htb.

In the case of a box with open 80, do HTB intend that we assume the possibility of a box.htb as part of correct solution practice, or should we only try that server after first finding it through enumeration?

According to my experience, most of the time when you have to use a domain name (ending in .htb) it is because either it is being shown i the web’s source code or in the text of the website.

In other case like the Trick machine it is necessary to known that it exists because the machine has a DNS server, and a DNS server needs a main domain for their configuration.

In short, there will always be something that gives you a clue that a domain exists.

1 Like

Thanks NeverHackMe. I agree with your first paragraph, enumerate it then use it.

For Trick, yes, open 53 indicates a domain. But why trick.htb and not cheesyonion.xyz? HTB seem to be asking that we ASSUME trick.htb!

It’s usually in the format of machine-name.htb

Would also like to add like @NeverHackMe me said trick machine has a DNS so it needs a domain name which can be found through DNS enumeration and sometimes nmap will tell you aslo, and with sites that use WordPress also have the machine-name.htb format because the way WordPress is setup. With some sites you can find it by looking at the source code or hovering over links on the page and seeing if it uses a name.htb or if it just uses the IP address for the links.

1 Like

i usually assume the domain name is machine-name.htb, unless explicite domain name is given. this is the start point for vhost/subdomain enumeration.
For machines exposing DNS service (like trick), the domain name can be retrieved.

$ dig -x $host_ip @$host_ip
; <<>> DiG 9.16.1-Ubuntu <<>> -x 10.10.11.166 @10.10.11.166
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44382
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 287c1136dc4f5ff93ea68f8b62bc0e95de580cf80b5aecdd (good)
;; QUESTION SECTION:
;166.11.10.10.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
166.11.10.10.in-addr.arpa. 604800 IN    PTR     trick.htb.

;; AUTHORITY SECTION:
11.10.10.in-addr.arpa.  604800  IN      NS      trick.htb.

;; ADDITIONAL SECTION:
trick.htb.              604800  IN      A       127.0.0.1
trick.htb.              604800  IN      AAAA    ::1

;; Query time: 103 msec
;; SERVER: 10.10.11.166#53(10.10.11.166)
;; WHEN: Wed Jun 29 08:34:29 UTC 2022
;; MSG SIZE  rcvd: 163
2 Likes

Tec, that is brilliant, you have answered by query. Fantastic use of the dig command, well done.

This is a good tip

Yes it is, with real world application where .htb etc is not known.

found in

2 Likes

Tec, you’ve made my week :grinning: