DNS Transfer: 150 | Notion

DNS servers need to be able to transfer zone information. However, this type of access should be password-protected at the very least.

In this case, the server running the CTF has a recon.icsi zone that is susceptible to unauthenticated zone transfer.

Identify the IP Address of your `ctf.local` instance.

ping ctf.local

In my case, and yours will be different, the IP Address of `ctf.local` is 192.168.228.22.

Perform a zone transfer to discover all subdomains.

dig axfr recon.icsi @192.168.228.22