Meow - Starting point - Hack The Box
This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
This post begins the Tier 0 Starting Point machines. The first one is Meow, which I selected for this initial write-up.
I will focus on the exploitation process because several of the accompanying questions do not add anything useful. When a question provides information required for exploitation, I will reference it during the process.
Exploitation Process
Reconnaissance
Port Scanning
We begin with a basic scan to find the open ports on the machine:
1 | nmap --open -p- 10.129.74.180 -T5 -oG Puertos |
We can see that Telnet is open, so we run Nmap’s default scripts against port 23.
1 | nmap -sCV -p 23 -oN Objetivos 10.129.1.17 |
The target appears to be a Linux machine, but the scan does not reveal much information. With no other ports through which to attempt to compromise the host, we can try logging in over Telnet.
Connecting via Telnet (Foothold as Root)
We attempt to connect as the root user.
1 | ❯ telnet 10.129.1.17 |
Because of a configuration error, the root account has no password, giving us immediate access to the machine. As root, all that remains is to find the flag.
1 | root@Meow:~# pwd |
We have successfully exploited the first Tier 0 Starting Point machine.
Answers
Question 1
What does the acronym VM stand for?
Virtual Machine
Question 2
What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.
terminal
Question 3
What service do we use to form our VPN connection into HTB labs?
openvpn
Question 4
What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output?
tun
Question 5
What tool do we use to test our connection to the target with an ICMP echo request?
ping
Question 6
What is the name of the most common tool for finding open ports on a target?
nmap
Question 7
What service do we identify on port 23/tcp during our scans?
telnet
Question 8
What username is able to log into the target over telnet with a blank password?
root
Flag
Submit root flag
b40xxxxxxxxxxxxxxxxxxxxxxxxxxxxx



