Enumeration

As usual, we begin with a SYN scan on the full range of ports that reveals that port 22,53 and 80 are open.

/tmp/tmp.3wf24EF4Fb ❯ hping3 -S --scan 1-65535 10.10.10.13 | grep -v "Not" 
Scanning 10.10.10.13 (10.10.10.13), port 1-65535
65535 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
   22 ssh        : .S..A...  63     0 29200    44
   53 domain     : .S..A...  63     0 29200    44
   80 http       : .S..A...  63     0 29200    44

Other than confirming the hosted services, a more detailed Nmap scan targeting the open ports reveals nothing of consequence.

/tmp/tmp.3wf24EF4Fb ❯ nmap -A -p22,53,80 10.10.10.13 -oA general/nmap/safe_scan                       8s root@kali
Starting Nmap 7.92 ( <https://nmap.org> ) at 2024-06-03 12:19 NZST
Nmap scan report for target (10.10.10.13)
Host is up (0.045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
|   256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_  256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   52.57 ms 10.10.16.1
2   26.42 ms target (10.10.10.13)

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 19.37 seconds

Port 80-Http

Nmap’s http-enum script and gobuster reveal no hidden folders and only index.html is visible.

/tmp/tmp.3wf24EF4Fb ❯ gobuster dir -r -u <http://10.10.10.13> -w /usr/share/wordlists/dirb/common.txt | tee gobuster_from_root
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.10.10.13>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2024/06/03 12:26:09 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/index.html           (Status: 200) [Size: 11439]
/server-status        (Status: 403) [Size: 299]

===============================================================
2024/06/03 12:26:34 Finished
===============================================================
/tmp/tmp.3wf24EF4Fb ❯                                              

Visiting the page shows the default apache page(also confirmed by wappalyzer) so we abandon this port for now.

Port 53-DNS

We begin by finding the domain name using nslookup .

/tmp/tmp.3wf24EF4Fb ❯ nslookup                                                                           root@kali
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa        name = ns1.cronos.htb.
> exit

From there successfully complete a zone transfer using dig, revealing 4 interesting hostnames.

/tmp/tmp.3wf24EF4Fb ❯ dig axfr cronos.htb @10.10.10.13                                            1m 46s root@kali

; <<>> DiG 9.17.19-3-Debian <<>> axfr cronos.htb @10.10.10.13
;; global options: +cmd
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.             604800  IN      NS      ns1.cronos.htb.
cronos.htb.             604800  IN      A       10.10.10.13
admin.cronos.htb.       604800  IN      A       10.10.10.13
ns1.cronos.htb.         604800  IN      A       10.10.10.13
www.cronos.htb.         604800  IN      A       10.10.10.13
cronos.htb.             604800  IN      SOA     cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 144 msec
;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP)
;; WHEN: Mon Jun 03 12:48:37 NZST 2024
;; XFR size: 7 records (messages 1, bytes 203)