Dig Dug

Image by tryhackme.com

Image by tryhackme.com

This is a short CTF that test your basic DNS knowledge. The room can be found on TryHackMe.

Use DNS server

(Optional) Change your DNS server on the THM AttackBox

The task text gives us a hint that the host is running a DNS server, that has a record that holds the flag.

To make use of the DNS server on the task as you system DNS server on your TryHackMe AttackBox, edit the resolve daemon config file.

sudo vim /etc/systemd/resolved.conf
/etc/systemd/resolved.conf
...
[Resolve]
DNS=10.10.139.220
...

The line with the DNS variable was uncommented, and the IP address of the task box was entered as the DNS value.

To apply the changes the resolve daemon must be restarted.

sudo systemctl restart systemd-resolved

DNS query

Get information from the DNS server

To query the DNS server for DNS records, the terminal tool dig can be used. Dig can use the default system-defined DNS server, or you can define what DNS server to query.

Because any string shorter than 255 characters can be stored in a TXT record, I decided to query the DNS server for those records hoping to find a flag.

To query the system-defined DNS server for txt-records, run dig like this:

dig givemetheflag.com txt

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> givemetheflag.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6355
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;givemetheflag.com.		IN	TXT

;; ANSWER SECTION:
givemetheflag.com.	0	IN	TXT	"flag{***REDACTED***}"

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jun 10 22:19:19 BST 2022
;; MSG SIZE  rcvd: 97

If you want to query any specific DNS server for txt-records, run dig like this:

dig @10.10.139.220 givemetheflag.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @10.10.139.220 givemetheflag.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32749
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;givemetheflag.com.		IN	A

;; ANSWER SECTION:
givemetheflag.com.	0	IN	TXT	"flag{***REDACTED***}"

;; Query time: 0 msec
;; SERVER: 10.10.139.220#53(10.10.139.220)
;; WHEN: Fri Jun 10 22:36:41 BST 2022
;; MSG SIZE  rcvd: 86