HackTheBox – Starting Point Phase – Tier 0/

HTB Labs — Tier 0 — “Meow” Machine Walkthrough | By: CyberAlp0

AUTHORCyberAlp0
PUBLISHEDJuly 3, 2026
READ TIME05 MIN
HTB Labs — Tier 0 — “Meow” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Meow”. This Machine covers some tasks related to the telnet protocol. Throughout this blog, you will be guided towards finding the flag of the machine by making use of the telnet protocol.

Telnet Protocol is a network protocol that allows a user on one computer to log into another computer that is part of the same network.

Executive Summary

Here is an executive summary of the steps we will follow:

Stage I: Scanning

Initial reconnaissance begins with a basic port scan against the target. The scan reveals a single exposed service: TCP port 23, running the Telnet protocol. With no additional services present, the attack surface is extremely narrow, indicating that the machine likely relies on outdated or insecure remote-access mechanisms.

Upon the Nmap scan, we will find the following information

  • Service Running: Telnet
  • Exposed Port: 23/TCP

Stage II: Enumeration

Further enumeration confirms that Telnet is accessible without encryption and supports direct login attempts. Testing default usernames reveals that the root account accepts a blank password, a critical misconfiguration that gives any unauthenticated user immediate, full system access. No brute force, privilege escalation, or credential harvesting is required — the system exposes administrative access by default.

Stage III: Exploiting

Exploitation is achieved simply by connecting to Telnet using the root user with no password. Once authenticated, the attacker gains full command execution capabilities at a root level, enabling direct access to system files. Retrieving the machine’s final flag becomes trivial, demonstrating how insecure remote-access protocols paired with weak authentication lead to complete compromise in seconds.

Let’s not waste more time on the introduction and begin hacking!

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: What does the acronym VM stand for?

Answer: Virtual Machine

Walkthrough:

Virtual machines give you the ability to divide the resources of the main operating system into other operating systems. This gives you the ability to control several machines at the same time.

Building several operating systems from a single operating system
Building several operating systems from a single operating system

Task 2: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

Answer: Terminal

Walkthrough:

The Terminal or the shell is the hacker’s right hand in controlling and performing any command. It is the command & control Console.

Task 3: What service do we use to form our VPN connection to HTB labs?

Answer: OpenVPN

Walkthrough:

OpenVPN is an open-source private network (VPN) that creates secure connections over the internet using a secure protocol that utilizes SSL/TLS.

Task 4: What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output?

Answer: tun

Walkthrough:

Tunnel Interface is typically represented as “TUN” or “TAP.” These abbreviations stand for “Network Tunnel” and “Network Tap” respectively, which are commonly used to create virtual network interfaces for VPN connections.

Task 5: The tool used to test the connection to the target machine using an ICMP echo request

Answer: Ping

Walkthrough:

The Ping request sends ICMP echo request to the target IP address to check whether the host or the target is live or not. This will give you a hint about the connection between you and the target.

Since our lab here uses the telnet protocol to connect to another machine that is connected to the same network as the hacker, we shall test the connectivity first using the PING Command.

Note that: when testing the connectivity using the ICMP Echo Request, you shall find the value of the TTL=128.
TTL Value in the Windows Operating System= 128
TTL Value in the Windows Operating System= 128
On the other hand, if you are using a Linux operating system, You will find that the value of the TTL=64.
TTL Value in the Linux Operating System= 64
TTL Value in the Linux Operating System= 64
Time to live (TTL) refers to the amount of time or “hops” that a packet is set to exist inside a network before being discarded by a router.

Task 6: What is the name of the most common tool for finding open ports on a target?

Answer: Nmap

Walkthrough:

Nmap is a powerful and widely used open-source network scanning tool that allows you to discover hosts and services on a computer network. It provides a range of scanning techniques, including port scanning, to determine which ports are open and what services are running on those ports.

Nmap Cheat Sheet Source

Task 7: What service do we identify on port 23/TCP during our scans?

Answer: Telnet

Walkthrough:

Most Common Protocols along with the Assigned Ports.
Most Common Protocols along with the Assigned Ports.

Task 8: What username can log into the target over telnet with a blank password?

Answer: root

Walkthrough:

When typing the username “root” while trying to log in to a target machine, you will be able to have access to the target machine with no password “Blank Password”.

The default username that is often used is “root” or “admin.” These usernames are commonly associated with privileged accounts that have administrative access to the system over the telnet protocol.

Task 9: What is the Root Flag of the machine?

Answer: b40abdfe23665f766f9c61ecba8a4c19

Walkthrough:

Firstly, The First step will always be scan for the target

You can use two different scanning tools, Nmap or Rustscan. I will be using Nmap to scan for the open ports in the target by typing the following command.

nmap -v 10.129.156.5
Discovering the opened ports in the target machine
Discovering the opened ports in the target machine

Secondly: Connect to the Telnet Protocol over the open port 23.

Since port 23 is open, we will be able to connect to it through the telnet protocol that runs over this port. By typing the following command, we will have a successful connection to the target through the telnet protocol.

telnet -l root 10.129.156.5

This will give you the ability to log in to the target with the root user without typing any password “Blank Password”.

Connecting to the target using the telnet protocol with a “root” user
Connecting to the target using the telnet protocol with a “root” user
Successful login with a root permission
Successful login with a root permission

Thirdly: Navigating inside the server and looking for the root flag

Type the following commands to list the contents of the server

ls

Type the following command to capture what’s inside the flag.txt.

cat flag.txt
Getting the root flag for MEOW Machine
Getting the root flag for MEOW Machine

The Root Flag For Meow Machine is: b40abdfe23665f766f9c61ecba8a4c19.

Hope you enjoyed reading my blog about solving Meow machine from HTB — Tier 0 — Starting Point Phase.

See You in another write-up!

[ #hackthebox ][ #Penetration Testing ][ #Kali Linux ][ #telnet ][ #cyberskii ][ #bug bounty ]