Hack The Box — Dancing

Harshit
4 min readJun 26, 2022

--

I wrote the walkthrough for Dancing machine. #hackthebox #htb

Enumeration

As usual let’s start with nmap:

nmap -sV IP

Replace IP by the IP of the target machine (Dancing)

Note: The IP of our target machine will change all the time, make sure your replace IP in the command below by the target machine’s IP. You can find the target’s IP directly from your hack the box account.

SMB (Server Message Block) is used to provide shared access to files between endpoints on a network. Port 445 is usually associated with SMB. A SMB-enabled storage on a network is called a share. The share can be accessed by anyone with the address of the server and the credentials to access it.

Let’s list the shares available on the server using:

smbclient -L 10.129.1.12

-L is used to list all the shares available

SMB authentication always require a username. If you don’t specify one, it will use your VM username as default.

We do not know the password. Let’s try our luck and just press enter

We can see 4 shares available!

Foothold

Let’s try to connect to the first share called ADMIN$ using:

smbclient \\\\10.129.1.12\\ADMIN$S

Since we don’t know the password, when prompted for a password, let’s try our luck and just press enter

Ok it didn’t work, access is Denied

Let’s move on to the share C$

smbclient \\\\10.129.1.12\\C$

Access is denied.

Let’s move on to the share Workshares

smbclient \\\\10.129.1.12\\WorkShares

When prompted for the password, just press enter

We got in! Looks like this was misconfigured, allowing us to login without credentials!

Let’s list the files in the current directory using:

ls

There are 2 folders. One called Amy.J and one called James.P

Let’s first check the folder Amy.J using the change directory command cd:

cd Amy.Jls

There is a file called worknotes.txt

Let’s download this file onto our VM using the get command:

get worknotes.txt

Now go to your home directory on your VM and the file worknotes.txt should be there

Open the file worknotes.txt

Ok that’s not super helpful. Let’s keep looking.

Let’s get out of Amy.J directory by typing:

cd ..

Now list the files in this directory again using:

ls

Now let’s check James.P directory:

cd James.Pls

That’s more interesting! There is a file called flag.txt

Let’s download this file onto our VM using the get command:

get flag.txt

Now open your home directory on your VM and the file flag.txt should be there:

Open flag.txt

Congratulations! You got the flag!

--

--

Harshit
Harshit

Written by Harshit

Security researcher |Android Developer | EE | Bug Bounty Hunter | Reverse Engineering | Malware analyst

No responses yet