
DNS servers need to be able to transfer zone information. However, this type of access should be password-protected at the very least.
- In this case, the server running the CTF has a
recon.icsi zone that is susceptible to unauthenticated zone transfer.
Identify the IP Address of your ctf.local instance.
ping ctf.local

In my case, and yours will be different, the IP Address of ctf.local is 192.168.228.22.
- Perform a zone transfer to discover all subdomains.
dig axfr recon.icsi @192.168.228.22
