HTB: Meow Walkthrough

Writeup — Meow By Araiz Naqvi

Overview

Difficulty: Easy
Operating System: Linux
Objective: Capture flag via Telnet
Tools Used: nmaptelnetopenvpn

Prepared by Araiz Naqvi

Scanning using Nmap

Started with a nmap scan to get information about whether telnet was running on port 23 as mentioned in the task.

Nmap Scan

And, it is!

Accessing Telnet at 10.129.109.246

Now, let’s telnet into said IP.

Connecting to target via Telnet

I tried a bunch of usernames but nothing seemed to work.
After a little research and hint from an answer in the machine it is clear that maybe `root` as the username will do the trick. So, let’s give it a shot.

Exploiting Misconfigured Passwordless login

Flag Retrieval

Let’s start by listing the content on the target:

Listing Content

Next, we will cat the content of flag.txt as:

Reading the flag.txt

Flag

The flag is b40abdfe23665f766f9c61ecba8a4c19.

Lessons Learned

- A lot of the times, services are configured for ease of access with one username that does not have a password or some easy password. This can easily be guessed as I did or even bruteforced and automated.
- The best way to mitigate this issue is place solid standards on passwords by not only maintaining long complex password but also changing them regularly. As for ease of use, a password manager can be used to receive the password like MFA to log in or out.

Comments

Post a Comment

Popular posts from this blog

HTB: Redeemer Walkthrough

Image
  Writeup — Redeemer By Araiz Naqvi Prepared By Araiz Naqvi . Overview - Difficulty: Easy - Operating System : Linux - Objective: Capture flag via Redis - Tools Used: nmap , redis , openvpn Nmap Scans Let’s start with stealth scanning default ports using the -sS flag: Strange, nothing comes back. Let’s run an all-port stealth scan: As can be seen that port 6379 is open.  Seems like it is redis , looks like we’re about to use redis-cli . Let’s first quickly run a service and script scan: I also run a udp scan just for the sake of it: Using redis-cli Let’s use the redis-cli to logon host 10.129.229.238 : I next need to get more information using the INFO command: At the end here: This shows that there is only one db since it’s value is 0 and there are 4 keys. Let’s start by selecting this database using the SELECT : Let’s see what keys are available: Now, let’s get these variables and get all values: There’s our flag!
Read more

HTB: Nibbles Walkthrough

Image
  Writeup — Nibbles By Araiz Naqvi Overview Difficulty: Easy - Operating System: Linux - Objective: Understand potential breaking points in nibble machine. - Tools Used: nmap , nc , whatweb , searchsploit , metasploit , gobuster , SecsList , linpeas Prepared by Araiz Naqvi Starting Enumeration with Nmap The very first step is to get an idea of the open ports and services running. To do this we will start with nmap scans: Nmap Scanning for open ports Here, two ports are open, SSH and HTTP which also show that the target is running Linux Ubuntu 2.2 version and an Apache httpd 2.4.18 server. But, before we go deeper into these open ports, let’s run an all ports TCP scan and leave it in the background cause usually it takes forever to happen. Leaving the everlong TCP all port scan in the background I actually did some banner grabbing in the meanwhile, but for consistency sake, I also immediately did a few other nmap scans to try and get as much information as p...
Read more

HTB: Cap Walkthrough

Image
  Writeup — Cap By Araiz Naqvi Overview - Difficulty: Easy - Operating System: Linux - Objective: Capture User and Root flag. - Tools Used: nmap , ftp , sshclient , whatweb , gunicorn , wireshark , openvpn , python3 If you’re unable to view it fully due to Medium Subscriptions, you can view it at  Nmap Scanning As in most times the first step is to scan the target IP to check for open ports and service and service versions running on them: Nmap Scan As can be seen the services running are FTP , SSH and HTTP . Also, Linux seems to be running on the target. Trying Logging in FTP and SSH Let’s try to use anonymous login for FTP : FTP Login Attempt Does not allow anonymous login. Similarly, even SSH was not accepting common usernames and passwords. Clearly, I might find credentials somewhere. This is really valuable information, but let’s still get information on other aspects of the target. Let’s continue by Web Fingerprinting . Enumerating Web Fingerprint ...
Read more