HTB Dancing Walkthrough [Tier 1]: SMB Enumeration
In this walkthrough, we'll enumerate SMB shares, identify anonymously accessible resources, navigate the file structure, and retrieve the challenge flag while learning the fundamentals of Windows file sharing.
![HTB Dancing Walkthrough [Tier 1]: SMB Enumeration](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F6a13c822551486ce6c514b17%2Fd369ef3a-d73f-48e1-8208-c0c3b4ebd214.png&w=3840&q=75)
Hack The Box's Dancing machine is part of the Tier 1 Starting Point series and introduces one of the most common services encountered during internal network assessments: SMB (Server Message Block).
Machine Overview
| Category | Value |
|---|---|
| Platform | Hack The Box |
| Machine | Dancing |
| Difficulty | Tier 1 |
| Operating System | Windows |
| Primary Service | SMB |
| Skills Learned | SMB Enumeration, Share Discovery, Anonymous Access |
Understanding SMB
SMB (Server Message Block) is a network protocol used primarily by Windows systems for file and printer sharing.
Some key facts:
Allows remote file access across a network
Commonly used in Windows environments
Supports authentication and access control
Frequently targeted during network enumeration
Modern SMB communication typically runs over TCP port 445.
Initial Enumeration
The first step is identifying open ports and running services.
nmap -sC -sV <TARGET_IP>
The scan reveals:
445/tcp open microsoft-ds
From the scan results we can determine:
Port 445 is open
Service detected: microsoft-ds
Target operating system: Windows
Question 1: What does SMB stand for?
Answer
Server Message Block
SMB enables systems to share files, directories, and other resources across a network.
Question 2: What port does SMB use?
Answer
445
Although older implementations used NetBIOS over port 139, modern SMB operates directly over TCP port 445.
Question 3: What service name appears on port 445?
Answer
microsoft-ds
This service identifier is commonly associated with SMB services running on Windows hosts.
Question 4: What operating system is running?
Answer
Windows
Both SMB behavior and service detection indicate a Windows-based machine.
Enumerating SMB Shares
Next, enumerate available shares without credentials.
smbclient -L //<TARGET_IP> -N
Example output:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Analysis
Four shares are exposed:
| Share | Purpose |
|---|---|
| ADMIN$ | Administrative share |
| C$ | Default system drive |
| IPC$ | Inter-process communication |
| WorkShares | User-accessible file share |
Question 5: How many shares are available?
Answer
4
The enumeration output shows four available shares.
Accessing the Shares
Now test whether any share permits anonymous access.
Attempt to connect:
smbclient //<TARGET_IP>/WorkShares -U anonymous
When prompted for a password, simply press Enter.
Connection succeeds.
Question 6: Which share allows access with a blank password?
Answer
WorkShares
This share can be accessed anonymously, making it the primary attack surface for the challenge.
Working Inside the SMB Shell
After connecting, you'll be dropped into the SMB interactive shell.
Useful commands:
ls
cd <directory>
pwd
get <filename>
mget *
exit
Question 7: Which command downloads files?
Answer
get
Example:
get flag.txt
To download multiple files:
mget *
Exploring WorkShares
List the contents of the share:
ls
Output:
Amy.J
James.P
The share contains directories belonging to two users.
Navigate into a directory:
cd James.P
List files:
ls
Continue exploring the available folders until a file containing the flag is discovered.
Retrieving the Flag
Once the flag file is located:
get flag.txt
Exit the SMB shell:
exit
Read the downloaded file:
cat flag.txt
The contents reveal the challenge flag.
Attack Path Summary
The complete workflow was:
Scan the target with Nmap
Identify SMB running on port 445
Enumerate available SMB shares
Discover the
WorkSharesshareAccess the share anonymously
Browse user directories
Download files using
getRetrieve and read the flag
Commands Used
nmap -sC -sV <TARGET_IP>
smbclient -L //<TARGET_IP> -N
smbclient //<TARGET_IP>/WorkShares -U anonymous
ls
cd <directory>
get <filename>
cat flag.txt
Key Takeaways
This machine demonstrates several important enumeration concepts:
Open SMB services should always be investigated.
Anonymous SMB access can expose sensitive files.
Share enumeration is often enough to gain initial footholds in Windows environments.
Simple tools such as
smbclientcan reveal valuable information without requiring credentials.
For beginners, Dancing provides an excellent introduction to SMB enumeration and Windows share discovery while reinforcing the importance of thorough reconnaissance.
Conclusion
The Dancing machine is a straightforward but valuable exercise for anyone beginning their Hack The Box journey. It teaches the fundamentals of SMB enumeration, anonymous share access, and file retrieval while emphasizing the importance of methodical reconnaissance.
By understanding how to identify accessible shares and navigate SMB resources, you'll build skills that frequently appear in real-world network assessments and more advanced CTF challenges.
![HTB Fawn Walkthrough [Tier 0]: Learning FTP Enumeration and Anonymous Login](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F6a13c822551486ce6c514b17%2F89c459b9-e2fd-4c52-a9c0-a89078b2fbd7.png&w=3840&q=75)
