Dig Dug is another fun little free room on TryHackMe.com where you can learn to use the “dig” tool. dig(Domain Information Groper) is another network administration CLI based tool for goofing around with the Domain Name System. dig is mainly useful for network troubleshooting and for educational purposes. It can also be operated based on command-line option and flag arguments.
dig tool is usually pre-installed in most of the Debian based distributions. Its syntax is pretty simple and easy to go.
dig [server] [name] [type]
Coming back to the room, join and start the machine. Wait for a couple of minutes to load up the instance completely (the usual practice). Important stuff here is the mentioned “pre-requisite” rooms related to DNS. They might help you in better solving this room.
As dig is really a simple tool, you can just experiment by just changing the arguments. Here is the simple dig scan:
dig 10.10.27.27
; <<>> DiG 9.16.15-Debian <<>> 10.10.27.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63744
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;10.10.27.27. IN A
;; AUTHORITY SECTION:
. 86399 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022051801 1800 900 604800 86400
;; Query time: 276 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; MSG SIZE rcvd: 115
Now you can also tweak around with the DNS record types like A, MX, AAA, and TXT. In case you are not sure what record type to look for, you can go with the “ANY” keyword to search for the whole thing.
dig 10.10.27.27 ANY
; <<>> DiG 9.16.15-Debian <<>> 10.10.27.27 ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43712
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;10.10.27.27. IN ANY
;; AUTHORITY SECTION:
. 86399 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022051801 1800 900 604800 86400
;; Query time: 196 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; MSG SIZE rcvd: 115
You can get an idea of how the dig tool work generally. Now going toward the flag in order to solve the room. Well, this is not complex at all.
As we have the IP address of our instance and we are also given a kind of an argument “givemetheflag.com” to grab the flag.
Let’s dig the IP of the instance and put the given website address in our argument.
dig @10.10.27.27 givemetheflag.com
; <<>> DiG 9.16.15-Debian <<>> @10.10.27.27 givemetheflag.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54590
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;givemetheflag.com. IN A
;; ANSWER SECTION:
givemetheflag.com. 0 IN TXT "Your Flag Will Show Here"
;; Query time: 316 msec
;; SERVER: 10.10.27.27#53(10.10.27.27)
;; MSG SIZE rcvd: 86
This is how you can simply learn to look for different sorts of records in DNS, particularly in this case it’s TXT reocrd. This technique can be helpful in passive recon during any engagement.
Good write ups. Regards.