i used first:
for sub in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
);do dig $sub.inlanefreight.htb @10.129.169.32 | grep -v ‘;|SOA’ | sed -r ‘/^\s*$/d’ | grep $sub | tee -a subdomains.txt;done
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
app.inlanefreight.htb. 604800 IN A 10.129.18.15
You are really close to cracking this one. You have all the pieces necessary to complete it, but you aren’t quite there yet. I don’t want to completely give the answer away, but try to do a bit more enumeration on the subdomains that you have access to.
Remember, pay close attention to the Authority section from the dig results. That will give you a clue as to what may or may not have additional subdomains for you to find. Try to go through all the FQDNs you have found from the initial enumeration you did with ‘dig’ and try to see the pattern in what is and isn’t matching with the SOA record. That will give you an indication as to what you should or shouldn’t brute force.
Also, if you are able to zone transfer to something and see all the subdomains within it, you probably don’t have to worry about brute forcing it. That should cut down on the number of scans you will need to do to find the answer.
Otherwise, you are definitely on the right track if you haven’t already solved it.
It is one of the shorter lists in the seclist/Discovery/DNS directory. There may be a couple in that will yield what you need, but none of them are what is listed on the academy page example itself.
If you still can’t find the FQDN with x.x.x.203 from any of those, do a bit more enumeration on the subdomains that you have access to. Be thorough, because you may have missed something the first time.