Walkthrough - Fawn - unsecurednerd.com

HackTheBox. Meow.

Scroll to the bottom of the page for answers to the Task questions.

There are a few takeaways from Meow:

Enumeration is important.
Telnet is an incredibly insecure way to connect to a remote resource. This is especially true when passwords are found wanting but because of the way Telnet works a password might prove worthless depending on the techniques employed by the attacker.

Let’s port scan the target:

┌──(unsecurednerd㉿kali)-[~]
└─$ sudo nmap -v -A --stats-every 1m -p - ip_address_of_target

A breakdown of the command line switches used above is as follows:

sudo nmap will be run with root privileges. This will allow us to perform an -sS scan.

nmap is the name of the program that we are running.

-v a single level of verbosity is added.

-A asks Nmap to perform an aggressive scan which includes OS detection (-O), Version detection (-sV), Script scanning (-sC), and Traceroute (--traceroute).

--stats-every 1m provides an update every minute.

-p - scans all ports.

ip_address_of_the_target is self explanatory, replace this with the ip address of the target.

Just a reminder, although I often do not include it in the examples, I always direct output to both the terminal and a file when possible either by using the tee command or a built-in switch like -oN in the case of Nmap. The entire command that I used looked something like:

┌──(unsecurednerd㉿kali)-[~]
└─$ sudo nmap -v -A --stats-every 1m -p - ip_address_of_target -oN 01_nmap_scan_meow.txt

Nmap produces a lot of output but based on the pertinent parts it looks like the only port that is open on the target is port 23:

Truncated...
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
...Truncated

We can connect to it by using the telnet command:

┌──(unsecurednerd㉿kali)-[~]
└─$ telnet ip_address_of_the_target 23

telnet is the name of the program that we are running.

ip_address_of_the_target is self explanatory, replace this with the ip address of the target.

23 is the port number.

It could take a minute or two for the banner/login prompt to present. BE PATIENT. The prompt reads “Meow login” and it is here that we are required to enter a username. What username? This is a Linux box and to truly pwn a Linux box we need to gain access to the Root account either by becoming the Root user or being able to perform actions at Root’s level of access. The Linux Root user is analogous to the Windows Administrator. At this login we should just go for gold and try to login as Root. Think of it as a less sophisticated take on the Account Enumeration/Guessable User Account type of attack. Please read https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account for more information. Most assuredly “root” would be on the list of usernames that we should/would attempt. If we enter “root” as the username we are presented with a prompt that confirms our root access:

root@Meow:~#

The pwd command tells us that we are in the /root directory.

Listing the directory contents with ls -al confirms that there is a flag.txt file in the directory. The contents of the file can be output to the terminal by way of the cat command:

cat flag.txt

Tasks

Task 1: What does the acronym VM stand for?

Virtual Machine

Task 2: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It's also known as a console or shell.

Terminal

Task 3: What service do we use to form our VPN connection into HTB labs?

openvpn

Task 4: What tool do we use to test our connection to the target with an ICMP echo request?

ping

Task 5: What is the name of the most common tool for finding open ports on a target?

nmap

Task 6: What service do we identify on port 23/tcp during our scans?

telnet

Task 7: What username is able to log into the target over telnet with a blank password?

root

DISCLAIMER Everything discussed herein is done so within the context of Boot2Roots, Crackmes, CTFs, and various other types of Cyber Security/Information Security/Programming challenges and competitions, Cyber Security/Information Security/Programming education, the Cyber Security/Information Security/Programming industry, and the Cyber Security/Information Security/Programming education industry. DO NOT "ATTACK" ANY SYSTEM(S) WITHOUT FIRST OBTAINING PROPER AUTHORIZATION. The Unsecured Nerd cannot and, most importantly, is genuinely not interested in helping you hack your personal enemies, family, friends, significant other, your government, governments that oppose your government, random remote targets that you managed to locate on the internet, and/or really anything at all. If reading something on this site causes you to wonder how it can be applied to hack any of those aforementioned things it’s best that you keep wondering. Stay safe.

This site relies very heavily on design elements provided by Barebones which is "a modern, responsive boilerplate laid bare". Download your copy from https://acahir.github.io/Barebones/.