Dancing - Windows

Ping {target Ip}, sudo nmap -sV {target Ip}

We find port 445/tcp open, port 445 is typically SMB (server message block) which is a communication protocol that provides shared access to files, printers, and serial points to endpoints on a network.

Smbclient -L {target Ip} will attempt to connect us to the remote host and check if authentication is required. -L (or –list) selects the targeted host for the connection request.

4 separate shares are displayed, ADMIN$, C$ IPC$, and WorkShares. We will try to connect to all of them other than IPC$ as it's not browsable and hence not applicable to this stage of learning.

Smbclient \\\\{target Ip}\\{share name} attempts to log in without the proper credentials, entering a blank password

We gain access to WorkShares with smbclient\\\\{target Ip}\\WorkShares

Help command to list what commands we can use

Ls to list directories, we find the directories Amy.J and James.P

Cd Amy.J to change directories to Amy.J and use ls to list directories, we find worknotes.txt. Use get worknotes.txt to download the file to our host

After using cd .. to back out of the Amy.J directory we will cd James.P and ls to list directories. We find flag.txt and get flag.txt to download it to host

Use the exit command to quit the shell and cat flag.txt on our host to read the file and capture the flag. (p.s. files like worknotes.txt can give hints to next targets in more advanced labs)