nmap -p- T4 10.10.10.13
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
kali@kali:~$ nmap -sV -sC -p 22,53,80 10.10.10.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 19:09 EDT
Nmap scan report for 10.10.10.13
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.3 cronos.htb
dig axfr @10.10.10.13 cronos.htb
Zone transfers require DNS tcp, because our nmap scan showed this, we will perform a zone transfer. Doing so gives us the following:
kali@kali:$ dig axfr @10.10.10.13 cronos.htb
; <<>> DiG 9.16.6-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 95 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Thu Oct 08 22:15:08 EDT 2020
;; XFR size: 7 records (messages 1, bytes 203)
Found login page through DNS
