HackTheBox – Starting Point Phase – Tier 1/

HTB Labs — Tier 1 — “Tactics” Machine Walkthrough | By: CyberAlp0

AUTHORCyberAlp0
PUBLISHEDJuly 4, 2026
READ TIME06 MIN
HTB Labs — Tier 1 — “Tactics” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by HTB, Tier 1, named “Tactics.” Tactics is one of the VIP labs in HackTheBox—Tier 1—Starting Point Phase. It focuses on many aspects and strengthens skills like Protocols, SMB, Reconnaissance, and Misconfiguration.

Executive Summary

Here is an executive summary of the steps we will follow:

Stage I: Scanning

The attack begins with scanning, using Nmap with the “-Pn” switch to bypass blocked ICMP echo requests and treat the host as alive. A version and OS detection scan (-sV -A -Pn) identifies SMB exposed on port 445, confirming that the machine is running file-sharing services typical of Windows environments.

Upon the Nmap scan, we will find the following information

  • Service Running: microsoft-ds?
  • Exposed Port: 445

Stage II: Enumeration

During the enumeration phase, the focus shifts to abusing SMB. Using “smbclient -L” with the administrator account, the attacker lists available shares and identifies the C$ administrative share, which provides visibility over the entire file system. Connecting directly to this share (smbclient //IP/C$ -U administrator), the attacker confirms that no password is required, demonstrating a critical misconfiguration. From within the share, standard SMB commands such as “get” are used to download interesting files, including “flag.txt” from the Administrator’s desktop.

Stage III: Exploiting

In the exploitation phase, the attacker escalates from simple file access to full remote command execution using Impacket’s psexec.py tool over SMB. With the same administrator account and blank password, psexec.py spawns an interactive shell on the target, granting system-level access. From this shell, the attacker navigates the filesystem, confirms the compromise, and retrieves the root flag:f751c19eda8f61ce81827e6930a1f40c.

Let’s not waste more time on the introduction and begin hacking!

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?

Answer: -Pn

Walkthrough:

We will use Nmap for scanning the target through the IP. There are several switches or options we will be using. Here’s a breakdown of the command that will be used:

sudo nmap -sV -A -Pn 10.129.11.204
Scanning the target using Nmap by using the -Pn switch to skip the host discovery as the ICMP packets are blocked by the firewall.
Scanning the target using Nmap by using the -Pn switch to skip the host discovery as the ICMP packets are blocked by the firewall.
  • -Pn: When ICMP packets are blocked, you can use the -Pn switch with Nmap. This switch tells Nmap to skip the host discovery phase and treat all hosts as online. This is particularly useful when you’re trying to scan machines that are behind a firewall that blocks ping requests.
  • -sV: This option enables service version detection. Nmap attempts to determine the versions of the services running on open ports.
  • -A: This option enables OS detection, version detection, script scanning, and traceroute. It provides detailed information about the target, including the operating system and services.

Task 2: What does the 3-letter acronym SMB stand for?

Answer: Server Message Block

Walkthrough:

The 3-letter acronym SMB stands for Server Message Block. It is a network protocol used for sharing files, printers, and other resources on a network.

Task 3: What port does SMB use to operate at?

Answer: 445

Walkthrough:

SMB stands for Server Message Block, which is a network protocol used for file sharing, printer sharing, and communication between computers in a network. SMB enables shared access to files, directories, printers, and other resources among devices within a network.

We have covered a previous blog that focused on SMB Protocol exploitation. For more information, refer to the following write-up that covers “Dancing” walkthrough powered by HTB, Starting Point Phase, Tier0.

SMB primarily operates over the following ports:

  • Port 445: This is the main port used by SMB over TCP/IP.
  • Port 139: This port is used for SMB over NetBIOS.

Port 445 is the more common port for direct SMB connections in modern network configurations.

Task 4: What command line argument do you give to smbclient to list available shares?

Answer: -L

Walkthrough:

We already know that the SMB is a “Server Message Block” Protocol that runs over port 445 to establish communication between the SMB Clients and the servers for sharing files, printers, and other network-shareable devices.To list all the shared files or devices, you will type the “-L” after the smbclient command, to view and list the shared devices with the IP of the target.

sudo smbclient -L 10.129.11.204 -U administrator
The listing Flag is a capital letter not a small letter. Also, you have to type sudo before the command.
Using the “administrator” as a username will allow us to login to the SMB client without providing a password.
Listing the workshares using the -L flag for the SMB Client ans -U for the administrator username. There is no password for this username.
Listing the workshares using the -L flag for the SMB Client ans -U for the administrator username. There is no password for this username.

Once you type the command, you will be asked for a password. Since you are logged as an administrator, then the password is blank. Click on enter and the workshares will be listed as shown in the screenshot. As previewed, we will notice that there are 3 windows-based workshares.

How the hacker exploits the SMB? and how he is able to list all the shared files and devices?.
How the hacker exploits the SMB? and how he is able to list all the shared files and devices?.

Task 5: What character at the end of a share name indicates it’s an administrative share?

Answer: $

Walkthrough:

In Windows, an administrative share is indicated by a dollar sign ($) at the end of the share name. For example, the C drive share is typically named C$.

Task 6: Which Administrative share is accessible on the box that allows users to view the whole file system?

Answer: C$

Walkthrough:

Use the following command to connect to the workshares for the SMB client “10.129.11.204”.

smbclient //10.129.11.204/C$ -U administrator
Listing all the file system for the administrative share C on the windows target.
Listing all the file system for the administrative share C on the windows target.

Here’s a breakdown of the command:

  • smbclient: This is the command-line tool used to access SMB/CIFS resources on a network.
  • //10.129.11.204/C$: The IP is the target Windows machine, The C$ refers to the administrative share for the C: drive on that machine.
  • -U administrator: This option specifies the username to authenticate with. In this case, it is the administrator account, which typically has elevated privileges. This user is used to access the SMB shares without a password.

Task 7: What command can we use to download the files we find on the SMB Share?

Answer: get

Walkthrough:

After connecting to the SMB client and navigating to the administrative share C$, you can download and file you find in the workshare using the get command.

Downloading the flag.txt using the get command. The flag.txt is placed in /Users/Administrator/Desktop.
Downloading the flag.txt using the get command. The flag.txt is placed in /Users/Administrator/Desktop.

Task 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?

Answer: psexec.py

Walkthrough:

Impacket is a collection of Python scripts and libraries designed for working with network protocols and security testing. It provides tools that facilitate the manipulation and interaction with various network protocols, particularly those used in Windows environments.

Psexec.py is a tool within the Impacket collection that allows users to execute commands on remote Windows machines over the SMB (Server Message Block) protocol. It is designed to mimic the functionality of Microsoft's PsExec utility, enabling remote command execution with ease.

To use this tool to open an interactive shell in the target machine, type the following command:

impacket-psexec WORKGROUP/administrator:password@10.129.11.204
Using the psexec python tool to open an interactive shell on the windows machine. Using the administrator username doesn't require entering a password. It’s a blank password.
Using the psexec python tool to open an interactive shell on the windows machine. Using the administrator username doesn't require entering a password. It’s a blank password.

We now have an interactive shell in the target Windows machine. We can use Windows shell commands to interact with the shell for more exploitation.

Navigating the C workshare directory. flag.txt is positioned in the /Users/Administrtor/Desktop.
Navigating the C workshare directory. flag.txt is positioned in the /Users/Administrtor/Desktop.

Task 9: Submitting Root Flag

Answer: f751c19eda8f61ce81827e6930a1f40c

Walkthrough:

After downloading the flag.txt using the get command, we shall find the root flag as shown.

The root flag of tactics HTB Machine — Starting Point Phase — Tier 1.
The root flag of tactics HTB Machine — Starting Point Phase — Tier 1.

The root flag of the pennyworth machine is: f751c19eda8f61ce81827e6930a1f40c

Hope you enjoyed reading my blog about solving Tactics machine from HTB — Tier 1— Starting Point Phase.

See You in another write-up!

[ #Tactics ][ #Web Application Security ][ #Web Application Penetration Testing ][ #Kali Linux ][ #bug bounty ][ #cyberalp0 ][ #cyberskii ][ #SMB ][ #SMB Credentials ]