DEV Community

Cover image for Dancing | HackTheBox Write-up
shiahalan
shiahalan

Posted on • Updated on

Dancing | HackTheBox Write-up

Introduction

This box is a basic introduction to SMBs (Server Message Block). In order to obtain the flag, we simply need to find an available share that we can connect to without a password. From there, we can download the file containing the flag. We use a few basic commands such as: nmap, ping, smbclient, ls, cat, cd, and get.

Enumeration

To start off, we are going to ping (ICMP Echo request) the target to check whether it is alive or not:

Image description

Since we are getting a response back, the target is indeed alive.

Next, we are going to enumerate the ports on the target machine to see what services are available. We can achieve this using nmap (network mapper). I will also be using the -sV flag to check the services' respective version information:

Image description

We can see that on port 445 there is a service named microsoft-ds. Upon a quick Google search, we can see that this is an SMB (Server Message Block).

SMB (Server Message Block)

We can attempt to access this smb server using the smbclient command. Before we try and establish a connection to a share on the smb server, we are going to list what available shares exist. We can accomplish this by using the smbclient command with the -L flag to list available shares:

Image description

We can see four listed shares. We can try to access a share using the smbclient command with format: smbclient //targetIP/sharename.

Upon trying to access each share, we see that the only share accessible without entering a password is the WorkShares share:

Image description

Using the ls command, we can list directories and files while connected to the smb:

Image description

Upon changing directories using cd, we can spot the flag.txt* file located in the directory named James.P.

Image description

In order to download the file to our computer, we can use the get command:

Image description

After downloading the file successfully to our computer, we can simply cat the file to see the contents of flag.txt!

Image description

We have captured the flag!

Various Questions:

What does the 3-letter acronym SMB stand for?
Server Message Block

What port does SMB use to operate at?
445

What is the service name for port 445 that came up in our Nmap scan?
microsoft-ds

What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing?
-L

How many shares are there on Dancing?
4

What is the name of the share we are able to access in the end with a blank password?
WorkShares

What is the command we can use within the SMB shell to download the files we find?
get

Submit root flag
Try it yourself :)

Top comments (0)