HTB Labs — Tier 0 — “MEOW” Machine Walkthrough | By: CyberAlp0

Solving Meow Machine from HackTheBox — Starting Point — Tier 0 | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Meow”. This Machine covers some tasks related to the telnet protocol. Throughout this blog, you will be guided towards finding the flag of the machine by making use of the telnet protocol.

Telnet Protocol is a network protocol that allows a user on one computer to log into another computer that is part of the same network.

here is how we can make use of this exploit….

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: What does the acronym VM stand for?

Answer: Virtual Machine

Walkthrough:

Virtual machines give you the ability to divide the resources of the main operating system into other operating systems. This gives you the ability to control several machines at the same time.

Building several operating systems from a single operating system

Task 2: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

Answer: Terminal

Walkthrough:

The Terminal or the shell is the hacker’s right hand in controlling and performing any command. It is the command & control Console.

Task 3: What service do we use to form our VPN connection to HTB labs?

Answer: OpenVPN

Walkthrough:

OpenVPN is an open-source private network (VPN) that creates secure connections over the internet using a secure protocol that utilizes SSL/TLS.

Task 4: What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output?

Answer: tun

Walkthrough:

Tunnel Interface is typically represented as “TUN” or “TAP.” These abbreviations stand for “Network Tunnel” and “Network Tap” respectively, which are commonly used to create virtual network interfaces for VPN connections.

Task 5: The tool used to test the connection to the target machine using an ICMP echo request

Answer: Ping

Walkthrough:

The Ping request sends ICMP echo request to the target IP address to check whether the host or the target is live or not. This will give you a hint about the connection between you and the target.

Since our lab here uses the telnet protocol to connect to another machine that is connected to the same network as the hacker, we shall test the connectivity first using the PING Command.

Note that: when testing the connectivity using the ICMP Echo Request, you shall find the value of the TTL=128.

TTL Value in the Windows Operating System= 128

On the other hand, if you are using a Linux operating system, You will find that the value of the TTL=64.

TTL Value in the Linux Operating System= 64

Time to live (TTL) refers to the amount of time or “hops” that a packet is set to exist inside a network before being discarded by a router.

Task 6: What is the name of the most common tool for finding open ports on a target?

Answer: Nmap

Walkthrough:

Nmap is a powerful and widely used open-source network scanning tool that allows you to discover hosts and services on a computer network. It provides a range of scanning techniques, including port scanning, to determine which ports are open and what services are running on those ports.

Nmap Cheat Sheet Source

Task 7: What service do we identify on port 23/TCP during our scans?

Answer: Telnet

Walkthrough:

Most Common Protocols along with the Assigned Ports.

Task 8: What username can log into the target over telnet with a blank password?

Answer: root

Walkthrough:

When typing the username “root” while trying to log in to a target machine, you will be able to have access to the target machine with no password “Blank Password”.

The default username that is often used is “root” or “admin.” These usernames are commonly associated with privileged accounts that have administrative access to the system over the telnet protocol.

Task 9: What is the Root Flag of the machine?

Answer: b40abdfe23665f766f9c61ecba8a4c19

Walkthrough:

Firstly, The First step will always be scan for the target

You can use two different scanning tools, Nmap or Rustscan. I will be using Nmap to scan for the open ports in the target by typing the following command.

nmap -v 10.129.156.5

Discovering the opened ports in the target machine

Secondly: Connect to the Telnet Protocol over the open port 23.

Since port 23 is open, we will be able to connect to it through the telnet protocol that runs over this port. By typing the following command, we will have a successful connection to the target through the telnet protocol.

telnet -l root 10.129.156.5

This will give you the ability to log in to the target with the root user without typing any password “Blank Password”.

Connecting to the target using the telnet protocol with a “root” user

Successful login with a root permission

Thirdly: Navigating inside the server and looking for the root flag

Type the following commands to list the contents of the server

ls

Type the following command to capture what’s inside the flag.txt.

cat flag.txt

Getting the root flag for MEOW Machine

The Root Flag For Meow Machine is: b40abdfe23665f766f9c61ecba8a4c19.

Hope you enjoyed reading my blog about solving Meow machine from HTB — Tier 0 — Starting Point Phase.

See You in another write-up!