Post

Hack The Box Meow

Posted Updated
Preview Image
By K4miyo Touma 4 min read

Máquina Meow

Se procede con la fase de reconocimiento lanzando primeramente un ping a la dirección IP 10.129.31.92.

1
2
3
4
5
6
7

❯ ping -c 1 10.129.31.92
PING 10.129.31.92 (10.129.31.92) 56(84) bytes of data.
64 bytes from 10.129.31.92: icmp_seq=1 ttl=63 time=82.6 ms

--- 10.129.31.92 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 82.632/82.632/82.632/0.000 ms

De acuerdo con el TTL de traza ICMP, se puede determinar que se trata de una máquina con sistema operativo (sistema operativo). A continuación se procede con la ejecución de nmap para determinar los puertos abiertos de la máquina y exportanto la información al archivo allPorts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

❯ nmap -p- --open -sS --min-rate 5000 -vvv -Pn 10.129.31.92 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-30 16:06 CST
Initiating Parallel DNS resolution of 1 host. at 16:06
Completed Parallel DNS resolution of 1 host. at 16:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:06
Scanning 10.129.31.92 [65535 ports]
Discovered open port 23/tcp on 10.129.31.92
Completed SYN Stealth Scan at 16:07, 13.26s elapsed (65535 total ports)
Nmap scan report for 10.129.31.92
Host is up, received user-set (0.074s latency).
Scanned at 2023-07-30 16:06:59 CST for 13s
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE REASON
23/tcp open  telnet  syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds
           Raw packets sent: 65865 (2.898MB) | Rcvd: 65635 (2.625MB)

Mediante la función extractPorts definida a nivel de zsh , se obtiene la información más relevante de la captura grepeable.

1
2
3
4
5
6
7
8
9
10
11
12
13

❯ extractPorts allPorts
───────┬───────────────────────────────────
       │ File: extractPorts.tmp
───────┼───────────────────────────────────
   1   │ 
   2   │ [*] Extracting information...
   3   │ 
   4   │     [*] IP Address: 10.129.31.92
   5   │     [*] Open ports: 23
   6   │ 
   7   │ [*] Ports copied to clipboard
   8   │ 
───────┴──────────────────────────────────

A continuación se lanza una serie de scripts para determinar el servicio y versión que corren para los puertos detectados.

1
2
3
4
5
6
7
8
9
10
11

❯ nmap -sCV -p23 10.129.31.92 -oN targeted
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-30 16:09 CST
Nmap scan report for 10.129.31.92
Host is up (0.073s latency).

PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.51 seconds

Observamos el puerto 23 abierto asociado el servico de telnet, así que vamos a conectarnos como el usuario root sin proporcionar contraseña.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

 telnet 10.129.31.92
Trying 10.129.31.92...
Connected to 10.129.31.92.
Escape character is '^]'.


  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login: 
Password: 

Login incorrect
Meow login: root
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 30 Jul 2023 10:11:02 PM UTC

  System load:           0.0
  Usage of /:            41.7% of 7.75GB
  Memory usage:          4%
  Swap usage:            0%
  Processes:             135
  Users logged in:       0
  IPv4 address for eth0: 10.129.31.92
  IPv6 address for eth0: dead:beef::250:56ff:feb0:76ba

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep  6 15:15:23 UTC 2021 from 10.10.14.18 on pts/0
root@Meow:~#

Ya somos el usuario root y podemos visualizar la flag (flag.txt).

Very Easy, Linux
Telnet Network Protocols Reconnaissance Weak Credentials Misconfiguration
This post is licensed under CC BY 4.0 by the author.