TryHackMe: Dig Dug
Dig Dug by TryHackMe and cmnatic
Oooh, turns out, this machine is also a DNS server! If we could
dig
into it, I am sure we could find some interesting records! But... it seems weird, this only responds to a special type of request for agivemetheflag.com
domain?Access this challenge by deploying both the vulnerable machine by pressing the green "Start Machine" button located within this task, and the TryHackMe AttackBox by pressing the "Start AttackBox" button located at the top-right of the page.
Use some common DNS enumeration tools installed on the AttackBox to get the DNS server on [MACHINE_IP] to respond with the flag.
Check out similar content on TryHackMe:
Retrieve the flag from the DNS server!
From above we can see that the DNS
server will only respond to special types
of requests for givemetheflag.com
, so let's remind ourselves about the types
of DNS
with a quick InsertSearchEngineVerbHere and we end up at https://simpledns.plus/help/dns-record-types.
Now let's run through the various types
using dig
╰─○ dig ****** givemetheflag.com @[MACHINE_IP]
; <<>> DiG 9.18.1-1-Debian <<>> ****** givemetheflag.com @[MACHINE_IP]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36625
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;givemetheflag.com. IN ******
;; ANSWER SECTION:
givemetheflag.com. 0 IN ****** "flag{************}"
;; Query time: 27 msec
;; SERVER: [MACHINE_IP]#53([MACHINE_IP]) (UDP)
;; WHEN: Thu May 19 23:18:52 BST 2022
;; MSG SIZE rcvd: 86
Answer:
;; ANSWER SECTION: givemetheflag.com. 0 IN ****** "flag{************}"