HTB Labs — Tier 0 — “Dancing” Machine Walkthrough | By CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Dancing”. This Machine covers some tasks related to the SMB protocol. Throughout this blog, you will be guided towards finding the flag of the machine by exploiting SMB Protocol.
SMB stands for Server Message Block, which is a network protocol used for file sharing, printer sharing, and communication between computers in a network. SMB enables shared access to files, directories, printers, and other resources among devices within a network.
here is how we can make use of this exploit….
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Start Solving the Tasks.
Task 1: What does the 3-letter acronym SMB stand for?
Answer: Server Message Block.
Task 2: What port does SMB use to operate at?
Answer: 445
Walkthrough:
The default port for SMB (Server Message Block) protocol is TCP port 445. This port is used for communication between SMB clients and servers for file sharing, printer sharing, and other network communication related to SMB.
Task 3: What is the service name for port 445 that came up in our Nmap scan?
Answer: Microsoft-ds?
Walkthrough:
We can use two different scanner tools Nmap and Rustscan. Since Nmap is my favorite, we will write the following commands to know the service name that runs over port 445.
nmap -sV -sC -A 10.129.172.206

We will notice that the name of the service that runs over port 445 is called “Microsoft-ds?”
Task 4: What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?
Answer: -L
Walkthrough:
We already know that the SMB is a “Server Message Block” Protocol that runs over port 445 to establish communication between the SMB Clients and the servers for sharing files, printers, and other network-shareable devices.
To list all the shared files or devices, you will type the -l afterward the smbclient command, to view and list the shared devices with the IP of the target.
smbclient -L 10.129.172.206
Note that: The listing Flag is a capital letter not a small letter. Also, you have to type sudo before the command.


We will notice that there is a “$” besides some of the shares. This means that these shares are administrative shares.
Task 5: How many shares are there on Dancing?
Answer: 4
Walkthrough:
By using the Listing command in the previous task, we will find that the number of shares is 4. Their names are as in the screenshot below.

Note that : A share is a local resource on the server that is accessible to the SMB clients on the network. A share is a directory. It is used to provide a network access to the home directories on a network file server. Each user is assigned to a home directory.
Task 6: What is the name of the share we can access in the end with a blank password?
Answer: workshares
Walkthrough:
This share is the share that requires no passwords when trying to connect to it. If you tried to connect to any of the other shares that contain a “$” sign, you will not be permitted, as these shares belong to the admin.
To connect to the workshare share, just type the following command
smbclient --no-pass //10.129.1.12/WorkShares

Note that: I have Restarted the machine, that is why the IP is different
Task 7: What is the command we can use within the SMB shell to download the files we find?
Answer: get
Walkthrough:
After listing what is inside the workshare directory, we can navigate and open each directory for each user (James.P & Emy.J) to search for the flag.
We can download the flag using the get command

The Root Flag for “Dancing” Machine — TIER 0 — Starting Point Phase is: 5f61c10dffbc77a704d76016a22f1664.
Hope you enjoyed reading my blog about solving Dancing machine from HTB — Tier 0 — Starting Point Phase.
See You in another write-up!