Dig Dug by TryHackMe and cmnatic
Oooh, turns out, this machine is also a DNS server! If we could
diginto it, I am sure we could find some interesting records! But... it seems weird, this only responds to a special type of request for agivemetheflag.comdomain?Access this challenge by deploying both the vulnerable machine by pressing the green "Start Machine" button located within this task, and the TryHackMe AttackBox by pressing the "Start AttackBox" button located at the top-right of the page.
Use some common DNS enumeration tools installed on the AttackBox to get the DNS server on [MACHINE_IP] to respond with the flag.
Check out similar content on TryHackMe:
Retrieve the flag from the DNS server!
From above we can see that the DNS server will only respond to special types of requests for givemetheflag.com, so let's remind ourselves about the types of DNS with a quick InsertSearchEngineVerbHere and we end up at https://simpledns.plus/help/dns-record-types.
Now let's run through the various types using dig
╰─○ dig ****** givemetheflag.com @[MACHINE_IP]
; <<>> DiG 9.18.1-1-Debian <<>> ****** givemetheflag.com @[MACHINE_IP]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36625
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;givemetheflag.com. IN ******
;; ANSWER SECTION:
givemetheflag.com. 0 IN ****** "flag{************}"
;; Query time: 27 msec
;; SERVER: [MACHINE_IP]#53([MACHINE_IP]) (UDP)
;; WHEN: Thu May 19 23:18:52 BST 2022
;; MSG SIZE rcvd: 86
Answer:
;; ANSWER SECTION: givemetheflag.com. 0 IN ****** "flag{************}"