HTB Labs — Tier 0 — “Meow” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 0, named “Meow”. This Machine covers some tasks related to the telnet protocol. Throughout this blog, you will be guided towards finding the flag of the machine by making use of the telnet protocol.
Telnet Protocol is a network protocol that allows a user on one computer to log into another computer that is part of the same network.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
Initial reconnaissance begins with a basic port scan against the target. The scan reveals a single exposed service: TCP port 23, running the Telnet protocol. With no additional services present, the attack surface is extremely narrow, indicating that the machine likely relies on outdated or insecure remote-access mechanisms.
Upon the Nmap scan, we will find the following information
- Service Running: Telnet
- Exposed Port: 23/TCP
Stage II: Enumeration
Further enumeration confirms that Telnet is accessible without encryption and supports direct login attempts. Testing default usernames reveals that the root account accepts a blank password, a critical misconfiguration that gives any unauthenticated user immediate, full system access. No brute force, privilege escalation, or credential harvesting is required — the system exposes administrative access by default.
Stage III: Exploiting
Exploitation is achieved simply by connecting to Telnet using the root user with no password. Once authenticated, the attacker gains full command execution capabilities at a root level, enabling direct access to system files. Retrieving the machine’s final flag becomes trivial, demonstrating how insecure remote-access protocols paired with weak authentication lead to complete compromise in seconds.
Let’s not waste more time on the introduction and begin hacking!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: What does the acronym VM stand for?
Answer: Virtual Machine
Walkthrough:
Virtual machines give you the ability to divide the resources of the main operating system into other operating systems. This gives you the ability to control several machines at the same time.

Task 2: What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.
Answer: Terminal
Walkthrough:
The Terminal or the shell is the hacker’s right hand in controlling and performing any command. It is the command & control Console.
Task 3: What service do we use to form our VPN connection to HTB labs?
Answer: OpenVPN
Walkthrough:
OpenVPN is an open-source private network (VPN) that creates secure connections over the internet using a secure protocol that utilizes SSL/TLS.
Task 4: What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output?
Answer: tun
Walkthrough:
Tunnel Interface is typically represented as “TUN” or “TAP.” These abbreviations stand for “Network Tunnel” and “Network Tap” respectively, which are commonly used to create virtual network interfaces for VPN connections.
Task 5: The tool used to test the connection to the target machine using an ICMP echo request
Answer: Ping
Walkthrough:
The Ping request sends ICMP echo request to the target IP address to check whether the host or the target is live or not. This will give you a hint about the connection between you and the target.
Since our lab here uses the telnet protocol to connect to another machine that is connected to the same network as the hacker, we shall test the connectivity first using the PING Command.
Note that: when testing the connectivity using the ICMP Echo Request, you shall find the value of the TTL=128.

On the other hand, if you are using a Linux operating system, You will find that the value of the TTL=64.

Time to live (TTL) refers to the amount of time or “hops” that a packet is set to exist inside a network before being discarded by a router.
Task 6: What is the name of the most common tool for finding open ports on a target?
Answer: Nmap
Walkthrough:
Nmap is a powerful and widely used open-source network scanning tool that allows you to discover hosts and services on a computer network. It provides a range of scanning techniques, including port scanning, to determine which ports are open and what services are running on those ports.
Nmap Cheat Sheet Source
Task 7: What service do we identify on port 23/TCP during our scans?
Answer: Telnet
Walkthrough:

Task 8: What username can log into the target over telnet with a blank password?
Answer: root
Walkthrough:
When typing the username “root” while trying to log in to a target machine, you will be able to have access to the target machine with no password “Blank Password”.
The default username that is often used is “root” or “admin.” These usernames are commonly associated with privileged accounts that have administrative access to the system over the telnet protocol.
Task 9: What is the Root Flag of the machine?
Answer: b40abdfe23665f766f9c61ecba8a4c19
Walkthrough:
Firstly, The First step will always be scan for the target
You can use two different scanning tools, Nmap or Rustscan. I will be using Nmap to scan for the open ports in the target by typing the following command.
nmap -v 10.129.156.5
Secondly: Connect to the Telnet Protocol over the open port 23.
Since port 23 is open, we will be able to connect to it through the telnet protocol that runs over this port. By typing the following command, we will have a successful connection to the target through the telnet protocol.
telnet -l root 10.129.156.5This will give you the ability to log in to the target with the root user without typing any password “Blank Password”.


Thirdly: Navigating inside the server and looking for the root flag
Type the following commands to list the contents of the server
lsType the following command to capture what’s inside the flag.txt.
cat flag.txt
The Root Flag For Meow Machine is: b40abdfe23665f766f9c61ecba8a4c19.
Hope you enjoyed reading my blog about solving Meow machine from HTB — Tier 0 — Starting Point Phase.
See You in another write-up!

