HTB Labs — Tier 0 — “Dancing” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Dancing”. This Machine covers some tasks related to the SMB protocol. Throughout this blog, you will be guided towards finding the flag of the machine by exploiting SMB Protocol.
SMB stands for Server Message Block, which is a network protocol used for file sharing, printer sharing, and communication between computers in a network. SMB enables shared access to files, directories, printers, and other resources among devices within a network.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
Initial network scanning identifies TCP port 445 as the single exposed service on the target. The port is running Microsoft-ds, confirming the presence of an SMB file-sharing service. No additional remotely accessible services are detected, immediately narrowing the attack surface to SMB enumeration and potential misconfigurations within accessible shares.
Upon the Nmap scan, we will find the following information
- Service Running: Microsoft-ds
- Exposed Port: 445/TCP
Stage II: Enumeration
SMB probing with unauthenticated listing reveals four available shares, including administrative shares marked with “$” and a publicly accessible directory. The attacker identifies that the WorkShares share allows login without credentials, making it the only viable entry point. Once inside the SMB session, directory traversal exposes user folders and file contents, confirming weak access controls and open read permissions on stored resources.
Stage III: Exploiting
The exploitation phase leverages the misconfigured SMB share to directly access sensitive data without authentication. Since the WorkShares directory contains user-owned resources that are world-readable, the attacker retrieves the flag file using the standard SMB file-transfer command. No privilege escalation, code execution, or system interaction is required; the compromise is achieved purely through insecure SMB permissions that allow anonymous read access.
Let’s not waste more time on the introduction and begin hacking!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: What does the 3-letter acronym SMB stand for?
Answer: Server Message Block.
Task 2: What port does SMB use to operate at?
Answer: 445
Walkthrough:
The default port for SMB (Server Message Block) protocol is TCP port 445. This port is used for communication between SMB clients and servers for file sharing, printer sharing, and other network communication related to SMB.
Task 3: What is the service name for port 445 that came up in our Nmap scan?
Answer: Microsoft-ds?
Walkthrough:
We can use two different scanner tools, Nmap and Rustscan. Since Nmap is my favorite, we will write the following commands to know the service name that runs over port 445.
nmap -sV -sC -A 10.129.172.206
We will notice that the name of the service that runs over port 445 is called “Microsoft-ds?”
Task 4: What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?
Answer: -L
Walkthrough:
We already know that the SMB is a “Server Message Block” Protocol that runs over port 445 to establish communication between the SMB Clients and the servers for sharing files, printers, and other network-shareable devices.
To list all the shared files or devices, you will type the “-L” after the smbclient command, to view and list the shared devices with the IP of the target.
smbclient -L 10.129.172.206Note that: The listing Flag is a capital letter not a small letter. Also, you have to type sudo before the command.


We will notice that there is a “$” besides some of the shares. This means that these shares are administrative shares.
Task 5: How many shares are there on Dancing?
Answer: 4
Walkthrough:
By using the Listing command in the previous task, we will find that the number of shares is 4. Their names are as in the screenshot below.

Note that : A share is a local resource on the server that is accessible to the SMB clients on the network. A share is a directory. It is used to provide a network access to the home directories on a network file server. Each user is assigned to a home directory.
Task 6: What is the name of the share we can access in the end with a blank password?
Answer: workshares
Walkthrough:
This share is the share that requires no passwords when trying to connect to it. If you tried to connect to any of the other shares that contain a “$” sign, you will not be permitted, as these shares belong to the admin.
To connect to the Workshare share, just type the following command
smbclient --no-pass //10.129.1.12/WorkShares
Note that: I have Restarted the machine, that is why the IP is different.
Task 7: What is the command we can use within the SMB shell to download the files we find?
Answer: get
Walkthrough:
After listing what is inside the workshare directory, we can navigate and open each directory for each user (James.P & Emy.J) to search for the flag.
We can download the flag using the get command

The Root Flag for the “Dancing” Machine — TIER 0 — Starting Point Phase is: 5f61c10dffbc77a704d76016a22f1664.
Hope you enjoyed reading my blog about solving Dancing machine from HTB — Tier 0 — Starting Point Phase.
See You in another write-up!

