π Hack The Box Starting Point: Dancing Walkthrough
Welcome to the third walkthrough in our Hack The Box Starting Point series. If you completed Meow and Fawn, you're already familiar with basic enumeration, port scanning, and service interaction. Now we're moving on to Dancing, which introduces you to SMB (Server Message Block) and network share enumeration.
Dancing builds on what you learned by teaching you how to enumerate and access Windows file shares. You'll learn about SMB protocol, network share enumeration, and how misconfigured shares can expose sensitive data.
By the end of this post, you'll understand:
- What SMB is and how it works
- How to enumerate SMB shares
- The risks of unsecured network shares
- How to connect to and browse SMB shares
- How to download files from SMB shares
- The difference between SMB and other file sharing protocols
Let's get started.
π― The Objective
Dancing is a very easy Windows machine that teaches SMB enumeration and network share access. Your goal is to:
- Connect to the HTB network and spawn the machine
- Enumerate the target to find SMB running
- List available SMB shares
- Connect to an accessible share
- Browse and download files to find the flag
What you'll learn:
- SMB protocol basics
- Port scanning and service identification
- SMB share enumeration
- Using smbclient to access shares
- Network share security risks
Difficulty: Very Easy (Tier 0)
π Initial Setup
Connecting to HTB Network
If you haven't already, connect to the HTB network using OpenVPN (or use Pwnbox). Make sure you're connected before proceeding.
Spawning the Machine
- Go to the Starting Point page
- Find the Dancing machine
- Click "Spawn Machine" β this starts the vulnerable VM
- Wait a minute or two for it to boot up
- Note the target IP address β you'll need this for all your commands
π‘ Step 1: Reconnaissance
Verifying Connectivity with Ping
First, let's verify we can reach the target machine using ping:
ping -c 4 <target_ip>
Expected output:
PING <target_ip> (<target_ip>) 56(84) bytes of data.
64 bytes from <target_ip>: icmp_seq=1 ttl=127 time=XX ms
64 bytes from <target_ip>: icmp_seq=2 ttl=127 time=XX ms
64 bytes from <target_ip>: icmp_seq=3 ttl=127 time=XX ms
64 bytes from <target_ip>: icmp_seq=4 ttl=127 time=XX ms
--- <target_ip> ping statistics ---
4 packets transmitted, 4 received, 0% packet loss
If you see responses, you're connected! Note the TTL value (127) suggests this is a Windows machine (Linux typically shows 64).
π Step 2: Port Scanning
Finding Open Ports with Nmap
Now let's scan for open ports using nmap:
nmap -sV <target_ip>
What this does:
nmapβ Port scanning tool-sVβ Version detection (identifies service versions and OS)<target_ip>β The target machine's IP address
Expected output:
Starting Nmap 7.94 ( https://nmap.org ) at 2026-02-01 12:00 UTC
Nmap scan report for <target_ip>
Host is up (0.XXs latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows Server 2019 - 2022 microsoft-ds
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-02-01T12:00:00
|_ start_date: N/A
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
What we learned:
- Port 445/tcp is open
- The service name for port 445 that came up in our Nmap scan is microsoft-ds
- This is a Windows machine (Windows Server 2019 - 2022)
- SMB is running and accessible
Understanding SMB
What does the 3-letter acronym SMB stand for? β SMB stands for Server Message Block.
What port does SMB use to operate at? β SMB uses port 445.
What is SMB? SMB is a network file sharing protocol primarily used by Windows systems. It allows computers to share files, printers, and other resources over a network.
Key characteristics of SMB:
- Originally developed by IBM in the 1980s
- Microsoft adopted and extended it (now called CIFS - Common Internet File System)
- Used for Windows file and printer sharing
- Can be accessed from Linux using tools like
smbclient - Supports authentication (username/password)
- Can allow anonymous/guest access if misconfigured
SMB versions:
- SMBv1 β Old, insecure, should be disabled
- SMBv2 β Improved performance and security
- SMBv3 β Enhanced security with encryption (Windows 8+)
Security considerations:
- SMBv1 has known vulnerabilities (like EternalBlue)
- Unsecured shares can expose sensitive data
- Guest/anonymous access should be disabled
- SMB should be restricted to internal networks only
π¨ Step 3: SMB Enumeration
Listing Available Shares
Now that we know SMB is running, let's enumerate the available shares. We'll use smbclient, a command-line tool for interacting with SMB shares.
What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing? β -L
The command to list shares is:
smbclient -L <target_ip>
What this does:
smbclientβ SMB client tool (part of Samba suite)-Lβ List available shares<target_ip>β Target machine IP address
Expected output:
Enter WORKGROUP\root's password:
It's asking for a password. For enumeration, we can try pressing Enter (blank password) or use the -N flag to skip password prompt:
smbclient -L <target_ip> -N
What -N does:
-Nβ No password (suppress password prompt)
Expected output:
Sharename Type Comment
--------- ---- --------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
What we learned:
- How many shares are there on Dancing? β There are 4 shares total:
ADMIN$β Administrative share (usually requires admin credentials)C$β Default C drive share (usually requires admin credentials)IPC$β Inter-process communication share (used for system functions)WorkSharesβ A custom share (this is likely accessible!)
Understanding SMB Shares
What are SMB shares? Shares are directories or drives that have been made accessible over the network. Each share has:
- A name (like
WorkSharesorC$) - Permissions (who can access it)
- Type (Disk for file shares, IPC for system communication)
Default Windows shares:
C$β C drive (administrative)ADMIN$β Windows system directory (administrative)IPC$β Inter-process communication (system)PRINT$β Printer drivers (if printers are shared)
Custom shares:
- Created by administrators or users
- Often named descriptively (like
WorkShares,Documents,Public) - May have weaker permissions than default shares
π Step 4: Accessing the Share
Connecting to WorkShares
Based on our enumeration, WorkShares looks like the most likely candidate for anonymous access. Let's try to connect to it.
What is the name of the share we are able to access in the end with a blank password? β WorkShares
The command to connect to a share is:
smbclient //<target_ip>/WorkShares -N
What this does:
smbclientβ SMB client tool//<target_ip>/WorkSharesβ UNC path to the share (format://server/share)-Nβ No password (blank password)
Expected output:
Try "help" for a list of possible commands.
smb: \>
Success! We're connected to the share. The smb: \> prompt means we're in the SMB shell and can run SMB commands.
Understanding the SMB Shell
Once connected, you're in an interactive SMB shell. This is similar to an FTP clientβyou can browse directories, list files, and download files.
Common SMB shell commands:
helpβ Show available commandslsordirβ List files and directoriescd <directory>β Change directoryget <file>β Download a fileput <file>β Upload a file (if you have write permissions)exitorquitβ Exit the SMB shell
π Step 5: Browsing the Share
Listing Files and Directories
Let's see what's in the WorkShares directory:
ls
Expected output:
. D 0 Mon Jun 7 12:00:00 2021
.. D 0 Mon Jun 7 12:00:00 2021
.notes.txt A 94 Mon Jun 7 12:00:00 2021
Amy.J D 0 Mon Jun 7 12:00:00 2021
James.P D 0 Mon Jun 7 12:00:00 2021
51175 blocks of size 4096. 204700 blocks available
What we see:
.notes.txtβ A text file (94 bytes)Amy.Jβ A directory (likely a user folder)James.Pβ A directory (likely a user folder)
Let's check the .notes.txt file first, then explore the directories.
Reading .notes.txt
get .notes.txt
What this does:
getβ Downloads the file to your local machine
Expected output:
getting file \.notes.txt of size 94 as .notes.txt (XX.X KiloBytes/sec) (average XX.X KiloBytes/sec)
Now exit the SMB shell and read the file locally:
exit
Then read the file:
cat .notes.txt
Expected output:
Some notes on SMB
This might give us hints, but let's also check the user directories.
Exploring User Directories
Let's reconnect and check the directories:
smbclient //<target_ip>/WorkShares -N
Then explore the directories:
cd Amy.J
ls
Expected output:
. D 0 Mon Jun 7 12:00:00 2021
.. D 0 Mon Jun 7 12:00:00 2021
worknotes.txt A 156 Mon Jun 7 12:00:00 2021
Let's check James.P as well:
cd ..
cd James.P
ls
Expected output:
. D 0 Mon Jun 7 12:00:00 2021
.. D 0 Mon Jun 7 12:00:00 2021
flag.txt A 32 Mon Jun 7 12:00:00 2021
Found it! There's a flag.txt file in James.P's directory.
π₯ Step 6: Downloading the Flag
Using the Get Command
Now we need to download the flag file. What is the command we can use within the SMB shell to download the files we find? β get
get flag.txt
What this does:
getβ Downloads a file from the SMB share to your local machineflag.txtβ The file to download
Expected output:
getting file \James.P\flag.txt of size 32 as flag.txt (XX.X KiloBytes/sec) (average XX.X KiloBytes/sec)
Success! The file has been downloaded to your local machine.
Exiting SMB
Now let's exit the SMB shell:
exit
Or you can use:
quit
Both commands will close the SMB connection and return you to your terminal.
π΄ Step 7: Reading the Flag
Viewing the Flag Contents
The file flag.txt should now be in your current directory. Let's read it:
cat flag.txt
Expected output:
<flag_content>
Success! You've found the flag. Copy this and submit it on the HTB platform to mark the machine as complete.
Understanding What We Did
Let's break down what we accomplished:
- Reconnaissance β Verified connectivity with
ping - Enumeration β Discovered SMB running on port 445 using
nmap - Service identification β Identified microsoft-ds service
- Share enumeration β Listed available shares with
smbclient -L - Share access β Connected to WorkShares with anonymous access
- File browsing β Explored directories and found flag.txt
- File download β Retrieved the flag using
getcommand
This demonstrates the complete penetration testing methodology: recon β enumerate β exploit β post-exploit.
β HTB Task Answers Summary
If you're working through HTB's questions, here are the answers:
- What does the 3-letter acronym SMB stand for? β Server Message Block
- What port does SMB use to operate at? β 445
- What is the service name for port 445? β microsoft-ds
- What flag lists available shares with smbclient? β -L
- How many shares are there on Dancing? β 4
- What share is accessible with blank password? β WorkShares
- What command downloads files in SMB shell? β get
π‘ Key Takeaways
What You Learned
- SMB basics β Server Message Block protocol, port 445, how it works
- Service identification β Recognizing microsoft-ds as SMB service
- Share enumeration β Using
smbclient -Lto list available shares - Anonymous access β The risks of allowing unsecured share access
- SMB client usage β Connecting to shares and browsing files
- File operations β Using
getto download files from shares - Directory traversal β Exploring nested directories to find files
Why This Matters in Real Penetration Testing
Unsecured SMB shares are a common finding in:
- Internal corporate networks
- Windows environments with relaxed security
- Legacy systems that haven't been hardened
- Development and testing environments
What this teaches you:
- Always enumerate SMB shares during network assessments
- Look for custom shares with weak permissions
- Check for sensitive files in user directories
- Understand that convenience often conflicts with security
In real assessments:
- Unsecured SMB shares often expose:
- User documents and files
- Configuration files
- Backup files
- Credentials stored in files
- Internal documentation
- Source code
Common SMB vulnerabilities:
- Anonymous/guest access enabled
- Weak or default passwords
- SMBv1 enabled (vulnerable to EternalBlue)
- Shares accessible from internet
- Overly permissive share permissions
π Security Lessons
For System Administrators
Never allow anonymous SMB access:
- Disable guest access:
net config server /autodisconnect:-1and configure via Group Policy - Require authentication for all shares
- Use strong passwords for all SMB users
- Disable SMBv1 (vulnerable and outdated)
- Restrict SMB to internal networks only (firewall rules)
Secure SMB configurations:
- Disable guest access in Group Policy
- Use SMBv3 with encryption when possible
- Implement least privilege (users only access what they need)
- Regular audits: Scan for open SMB shares
- Monitor SMB access logs for suspicious activity
Best practices:
- Use network segmentation to isolate SMB traffic
- Implement access controls based on user roles
- Encrypt SMB traffic (SMBv3 encryption)
- Regular security assessments
- User training on secure file sharing
For Penetration Testers
This machine demonstrates:
- The importance of thorough service enumeration
- How to identify and enumerate SMB shares
- Why anonymous access is a critical finding
- How to navigate and download files from shares
In real assessments:
- Always enumerate SMB shares on Windows systems
- Check for anonymous/guest access
- Look for sensitive files in accessible shares
- Document the risk: unsecured shares = data exposure
- Test for SMBv1 (EternalBlue vulnerability)
- Check for shares accessible from internet
Enumeration checklist:
- Scan for port 445 (SMB)
- Enumerate shares with
smbclient -L - Try anonymous access on each share
- Check for default credentials
- Browse accessible shares for sensitive data
- Check SMB version (v1 should be disabled)
π Alternative Approaches
Using Nmap SMB Scripts
Nmap has built-in scripts for SMB enumeration:
nmap --script smb-enum-shares,smb-enum-users <target_ip>
What this does:
--script smb-enum-sharesβ Enumerates SMB shares--script smb-enum-usersβ Enumerates SMB users
This can automate share discovery.
Using enum4linux
enum4linux is a tool specifically designed for SMB enumeration:
enum4linux -S <target_ip>
What this does:
-Sβ Enumerate shares- Provides detailed information about shares and permissions
Using smbmap
smbmap is another tool for SMB enumeration:
smbmap -H <target_ip>
What this does:
- Lists shares and their permissions
- Can recursively list files in shares
Mounting SMB Shares
You can also mount SMB shares directly (on Linux):
sudo mkdir /mnt/smb
sudo mount -t cifs //<target_ip>/WorkShares /mnt/smb -o username=guest
What this does:
- Mounts the SMB share as a local directory
- Allows you to browse files like a local filesystem
- Requires
cifs-utilspackage
π¨ Common Issues
"Connection refused" or "Connection timed out"
Problem: Can't connect to the SMB server.
Solutions:
- Make sure the machine is spawned
- Verify you're connected to HTB network
- Check that you're using the correct IP address
- Wait for the machine to fully boot
"NT_STATUS_ACCESS_DENIED"
Problem: Access denied when trying to connect to a share.
Solutions:
- Try different shares (some require authentication)
- Try anonymous access with
-Nflag - Check if guest access is enabled
- Try common usernames with blank passwords
"smbclient: command not found"
Problem: smbclient isn't installed.
Solution: Install Samba client tools:
- Linux:
sudo apt install smbclient(Debian/Ubuntu) orsudo yum install samba-client(RHEL/CentOS) - macOS:
brew install samba - Windows: Use built-in
net usecommand or install Samba
"NT_STATUS_BAD_NETWORK_NAME"
Problem: Share name doesn't exist or is incorrect.
Solutions:
- Double-check the share name (case-sensitive)
- List shares again with
smbclient -Lto verify - Make sure you're using the correct UNC path format:
//server/share
Files not downloading
Problem: get command doesn't work or file not found.
Solutions:
- Make sure you're in the correct directory (
cdto the right folder) - Check file permissions (you might not have read access)
- Verify the filename is correct (case-sensitive)
- Use
lsto list files before downloading
π Additional Resources
- SMB Protocol Specification β Microsoft SMB documentation
- smbclient Manual β Complete smbclient documentation
- HTB Dancing Machine Page β Official machine page
- SMB Security Best Practices β Microsoft security guidance
- Nmap SMB Scripts β Nmap SMB enumeration scripts
π― What's Next?
Now that you've completed Dancing, you're ready for the final machine in Tier 0: Redeemer.
Redeemer will teach you:
- Redis database enumeration
- NoSQL database exposure
- Database interaction and exploitation
- More advanced service enumeration
But first, make sure you:
- β Successfully completed Dancing
- β Understand SMB basics and share enumeration
- β
Know how to use
smbclientcommands (-L,ls,cd,get) - β Understand the risks of unsecured network shares
π Completion Proof
I successfully completed Dancing on June 12, 2025. You can verify the completion here.
Questions about Dancing or SMB enumeration? Reach out directly:
- Email: m1k3@msquarellc.net
- Phone: (559) 670-3159
- Schedule: Book a free consultation
M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice