# HTB Dancing Walkthrough [Tier 1]: SMB Enumeration

*Hack The Box's* ***Dancing*** *machine is part of the Tier 1 Starting Point series and introduces one of the most common services encountered during internal network assessments:* ***SMB (Server Message Block)****.*

## Machine Overview

| Category | Value |
| --- | --- |
| Platform | Hack The Box |
| Machine | Dancing |
| Difficulty | Tier 1 |
| Operating System | Windows |
| Primary Service | SMB |
| Skills Learned | SMB Enumeration, Share Discovery, Anonymous Access |

## Understanding SMB

SMB (Server Message Block) is a network protocol used primarily by Windows systems for file and printer sharing.

Some key facts:

*   Allows remote file access across a network
    
*   Commonly used in Windows environments
    
*   Supports authentication and access control
    
*   Frequently targeted during network enumeration
    

Modern SMB communication typically runs over **TCP port 445**.

## Initial Enumeration

The first step is identifying open ports and running services.

```bash
nmap -sC -sV <TARGET_IP>
```

The scan reveals:

```text
445/tcp open  microsoft-ds
```

From the scan results we can determine:

*   Port **445** is open
    
*   Service detected: **microsoft-ds**
    
*   Target operating system: **Windows**
    

## Question 1: What does SMB stand for?

### Answer

`Server Message Block`

SMB enables systems to share files, directories, and other resources across a network.

## Question 2: What port does SMB use?

### Answer

`445`

Although older implementations used NetBIOS over port 139, modern SMB operates directly over TCP port 445.

## Question 3: What service name appears on port 445?

### Answer

`microsoft-ds`

This service identifier is commonly associated with SMB services running on Windows hosts.

## Question 4: What operating system is running?

### Answer

`Windows`

Both SMB behavior and service detection indicate a Windows-based machine.

## Enumerating SMB Shares

Next, enumerate available shares without credentials.

```bash
smbclient -L //<TARGET_IP> -N
```

Example output:

```text
Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
WorkShares      Disk
```

### Analysis

Four shares are exposed:

| Share | Purpose |
| --- | --- |
| ADMIN$ | Administrative share |
| C$ | Default system drive |
| IPC$ | Inter-process communication |
| WorkShares | User-accessible file share |

## Question 5: How many shares are available?

### Answer

`4`

The enumeration output shows four available shares.

## Accessing the Shares

Now test whether any share permits anonymous access.

Attempt to connect:

```bash
smbclient //<TARGET_IP>/WorkShares -U anonymous
```

When prompted for a password, simply press **Enter**.

Connection succeeds.

## Question 6: Which share allows access with a blank password?

### Answer

`WorkShares`

This share can be accessed anonymously, making it the primary attack surface for the challenge.

## Working Inside the SMB Shell

After connecting, you'll be dropped into the SMB interactive shell.

Useful commands:

```bash
ls
cd <directory>
pwd
get <filename>
mget *
exit
```

## Question 7: Which command downloads files?

### Answer

`get`

Example:

```bash
get flag.txt
```

To download multiple files:

```bash
mget *
```

## Exploring WorkShares

List the contents of the share:

```bash
ls
```

Output:

```text
Amy.J
James.P
```

The share contains directories belonging to two users.

Navigate into a directory:

```bash
cd James.P
```

List files:

```bash
ls
```

Continue exploring the available folders until a file containing the flag is discovered.

## Retrieving the Flag

Once the flag file is located:

```bash
get flag.txt
```

Exit the SMB shell:

```bash
exit
```

Read the downloaded file:

```bash
cat flag.txt
```

The contents reveal the challenge flag.

## Attack Path Summary

The complete workflow was:

1.  Scan the target with Nmap
    
2.  Identify SMB running on port 445
    
3.  Enumerate available SMB shares
    
4.  Discover the `WorkShares` share
    
5.  Access the share anonymously
    
6.  Browse user directories
    
7.  Download files using `get`
    
8.  Retrieve and read the flag
    

## Commands Used

```bash
nmap -sC -sV <TARGET_IP>

smbclient -L //<TARGET_IP> -N

smbclient //<TARGET_IP>/WorkShares -U anonymous

ls

cd <directory>

get <filename>

cat flag.txt
```

## Key Takeaways

This machine demonstrates several important enumeration concepts:

*   Open SMB services should always be investigated.
    
*   Anonymous SMB access can expose sensitive files.
    
*   Share enumeration is often enough to gain initial footholds in Windows environments.
    
*   Simple tools such as `smbclient` can reveal valuable information without requiring credentials.
    

For beginners, **Dancing** provides an excellent introduction to SMB enumeration and Windows share discovery while reinforcing the importance of thorough reconnaissance.

## Conclusion

The Dancing machine is a straightforward but valuable exercise for anyone beginning their Hack The Box journey. It teaches the fundamentals of SMB enumeration, anonymous share access, and file retrieval while emphasizing the importance of methodical reconnaissance.

By understanding how to identify accessible shares and navigate SMB resources, you'll build skills that frequently appear in real-world network assessments and more advanced CTF challenges.
