π± Hack The Box Starting Point: Meow Walkthrough
Welcome to the first walkthrough in our Hack The Box Starting Point series. If you're reading this, you're probably new to penetration testing, or maybe you've done some CTFs but want to understand the methodology better.
Meow is intentionally simple. It's designed to introduce you to the fundamentals of penetration testing: enumeration, port scanning, and understanding the risks of legacy protocols.
By the end of this post, you'll understand:
- How to verify connectivity to a target
- How to scan for open ports and services
- The security risks of telnet
- How weak credentials can lead to complete system compromise
- Basic post-exploitation techniques
Let's get started.
π― The Objective
Meow is a very easy Linux machine that teaches basic enumeration and the dangers of legacy protocols. Your goal is to:
- Connect to the HTB network
- Enumerate the target machine
- Exploit a misconfigured service
- Retrieve the flag
What you'll learn:
- Basic network enumeration (
ping) - Port scanning with
nmap - Interacting with telnet services
- The risks of default/weak credentials
- Reading files on Linux systems
Difficulty: Very Easy (Tier 0)
π Initial Setup
Understanding Virtual Machines (VMs)
Before we start, let's clarify what we're working with. VM stands for Virtual Machineβa software-based emulation of a computer system. HTB machines are VMs running on HTB's infrastructure. When you "spawn" a machine, you're starting a VM that's been configured with intentional vulnerabilities for you to practice on.
Think of it like this: instead of needing physical hardware, you're accessing a virtual computer over the network. This is safer, cheaper, and allows HTB to reset machines easily after each use.
Using a Terminal
To interact with HTB machines and run commands, you need a terminal (also called a console or shell). A terminal is a text-based interface where you type commands and see text output.
How to get a terminal:
- Linux: Open Terminal (usually Ctrl+Alt+T)
- macOS: Open Terminal (Applications β Utilities β Terminal)
- Windows: Use PowerShell, Command Prompt, or install WSL (Windows Subsystem for Linux)
- HTB Pwnbox: Already has a terminal built-in
The terminal is where you'll run all your penetration testing commandsβfrom connecting to the VPN to scanning ports to exploiting services.
Connecting to HTB Network with OpenVPN
Before you can attack any HTB machine, you need to connect to their network. HTB uses OpenVPN to form a VPN (Virtual Private Network) connection into their labs.
What is OpenVPN? OpenVPN is an open-source VPN protocol that creates a secure, encrypted tunnel between your computer and HTB's network. This allows you to access machines that aren't publicly available on the internet.
How to connect:
-
Download your OpenVPN configuration:
- Log into HTB
- Go to "Access" β "OpenVPN"
- Download your personal
.ovpnfile (this contains your unique credentials)
-
Connect using OpenVPN:
- Linux:
sudo openvpn yourfile.ovpn - macOS:
sudo openvpn yourfile.ovpn(install via Homebrew if needed) - Windows: Use OpenVPN GUI client
- HTB Pwnbox: Already connected, skip this step
- Linux:
-
Verify connection:
- You should see "Initialization Sequence Completed" when connected
- Your terminal will show a new network interface (usually
tun0)
Alternative: HTB also offers Pwnboxβan in-browser Linux environment that's already connected to the HTB network. This is easier for beginners since you don't need to set up OpenVPN yourself.
Spawning the Machine
Once you're connected to the HTB network (via OpenVPN or Pwnbox), you need to start the vulnerable machine:
- Go to the Starting Point page
- Find the Meow machine
- Click "Spawn Machine" β this starts the vulnerable VM
- Wait a minute or two for it to boot up
- Note the target IP address β you'll need this for all your commands
Important: HTB machines automatically shut down after a certain period of inactivity. If your machine stops responding, you may need to spawn it again.
π‘ Step 1: Reconnaissance
Verifying Connectivity with Ping
First, let's make sure we can reach the target machine. The tool we use to test our connection to the target with an ICMP echo request is ping.
What is ping?
ping sends ICMP (Internet Control Message Protocol) echo requests to a target and waits for echo replies. If you get replies, the target is reachable and responding. It's the most basic network connectivity test.
ping -c 4 <target_ip>
What this does:
pingβ Sends ICMP echo requests to test network connectivity-c 4β Send 4 packets then stop (Linux/macOS)<target_ip>β Replace with the actual IP address from HTB
Expected output:
PING <target_ip> (<target_ip>) 56(84) bytes of data.
64 bytes from <target_ip>: icmp_seq=1 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=2 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=3 ttl=63 time=XX ms
64 bytes from <target_ip>: icmp_seq=4 ttl=63 time=XX ms
--- <target_ip> ping statistics ---
4 packets transmitted, 4 received, 0% packet loss
If you see responses, you're connected! If not, check:
- Is the machine spawned?
- Are you connected to the HTB network?
- Did you use the correct IP address?
Pro tip: On Windows, use ping -n 4 <target_ip> instead of -c 4.
π Step 2: Port Scanning
Now that we know the machine is alive, let's find out what services are running. The name of the most common tool for finding open ports on a target is nmap (Network Mapper).
What is nmap?
nmap is the industry-standard port scanning tool used by penetration testers, network administrators, and security professionals. It can discover open ports, identify services, detect versions, and much more.
Basic Nmap Scan
nmap -sV <target_ip>
What this does:
nmapβ The port scanning tool-sVβ Version detection (tries to identify service versions)<target_ip>β The target machine's IP address
Note: You might need sudo for some scan types, but basic scans usually work without it.
Expected output:
Starting Nmap 7.94 ( https://nmap.org ) at 2026-02-01 12:00 UTC
Nmap scan report for <target_ip>
Host is up (0.XXs latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
What we learned:
- Port 23/tcp is open
- The service is telnet
- It's running Linux telnetd
Understanding the Results
Port 23 is the default port for telnet, an old protocol used for remote terminal access. Telnet is insecure because:
- All data (including passwords) is sent in plain text
- No encryption
- Vulnerable to man-in-the-middle attacks
- Should never be used in production environments
Modern systems use SSH (port 22) instead, which encrypts all communication.
π¨ Step 3: Exploitation
Connecting via Telnet
Since telnet is running, let's try to connect to it:
telnet <target_ip> 23
What this does:
telnetβ The telnet client<target_ip>β Target machine IP23β Port number (optional since 23 is the default)
Expected output:
Trying <target_ip>...
Connected to <target_ip>.
Escape character is '^]'.
Meow login:
The machine is asking for a login. This is where we need to think about common misconfigurations.
Trying Default Credentials
In penetration testing, one of the first things you check is default or weak credentials. Many systems are deployed with:
- Default usernames (
admin,root,user) - Blank passwords
- Weak passwords (
password,12345, etc.)
The username that is able to log into the target over telnet with a blank password is root.
When prompted for login, type:
root
Then press Enter. When it asks for a password, press Enter again (blank passwordβjust hit Enter without typing anything).
Expected result:
Meow login: root
Password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-74-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
root@Meow:~#
Success! We're logged in as root with no password required.
What happened:
- The machine was configured with a blank root password
- This is a critical security misconfiguration
- We now have full administrative access to the system
π΄ Step 4: Post-Exploitation
Finding the Flag
HTB machines always have a flag file that proves you've compromised the system. Let's find it.
Common locations for flags:
/root/flag.txt/root/root.txt/home/<user>/user.txt/flag.txt
Let's check the most common location first:
cat /root/flag.txt
What this does:
catβ Display file contents/root/flag.txtβ The flag file path
Expected output:
<flag_content>
Success! You've found the flag. Copy this and submit it on the HTB platform to mark the machine as complete.
Understanding What We Did
Let's break down what we accomplished:
- Reconnaissance β Verified the machine was reachable
- Enumeration β Discovered telnet running on port 23
- Exploitation β Connected via telnet and logged in with default credentials
- Post-exploitation β Retrieved the flag
This is the basic penetration testing methodology: recon β enumerate β exploit β post-exploit.
β HTB Task Answers Summary
If you're working through HTB's questions, here are the answers:
- What does the acronym VM stand for? β Virtual Machine
- What tool do we use to interact with the operating system? β terminal (also called console or shell)
- What service do we use to form our VPN connection into HTB labs? β openvpn
- What tool do we use to test our connection with an ICMP echo request? β ping
- What is the most common tool for finding open ports? β nmap
- What service do we identify on port 23/tcp? β telnet
- What username logs in over telnet with a blank password? β root
π‘ Key Takeaways
What You Learned
- VM (Virtual Machine) β Understanding what VMs are and how HTB uses them
- Terminal β Using a command-line interface to interact with the operating system
- OpenVPN β Connecting to HTB's network via VPN
- ping β Testing connectivity with ICMP echo requests
- nmap β Finding open ports on a target
- telnet β Identifying the service on port 23/tcp
- root β The username that works with a blank password
- Legacy protocol risks β Why telnet is dangerous
- Weak credentials β The dangers of default/blank passwords
- Basic Linux commands β
catfor reading files
Why This Matters in Real Penetration Testing
Legacy protocols like telnet are still found in:
- Old industrial control systems
- Legacy network equipment
- Systems that haven't been updated
- Embedded devices
Weak credentials are one of the most common vulnerabilities:
- Default passwords on network devices
- Blank passwords on test systems that made it to production
- Weak passwords that never got changed
What this teaches you:
- Always check for default credentials
- Legacy protocols are security risks
- Proper authentication is critical
- Misconfigurations can lead to complete compromise
π Security Lessons
For System Administrators
Never use telnet in production:
- Use SSH instead (encrypted, secure)
- Disable telnet if it's not needed
- If you must use telnet, restrict access with firewalls
Always change default credentials:
- Set strong passwords for all accounts
- Disable default accounts when possible
- Use password policies to enforce complexity
Regular security assessments:
- Scan your network for open services
- Check for default credentials
- Identify legacy protocols that need to be replaced
For Penetration Testers
This machine demonstrates:
- The importance of thorough enumeration
- How simple misconfigurations can lead to compromise
- Why checking default credentials is essential
- The value of understanding service versions
In real assessments:
- Always check for default credentials
- Identify legacy protocols and their risks
- Document misconfigurations clearly
- Explain the business impact of findings
π Alternative Approaches
More Thorough Scanning
You could do a more comprehensive scan:
nmap -p- -sV <target_ip>
What this does:
-p-β Scan all 65,535 ports (takes longer)-sVβ Version detection
For this machine, it's overkill, but it's good practice for more complex targets.
Using Nmap Scripts
Nmap has scripts that can automate common checks:
nmap --script telnet-brute <target_ip>
This would try to brute force telnet credentials, though for this machine it's unnecessary since blank password works.
π¨ Common Issues
"Connection refused" or "Connection timed out"
Problem: Can't connect to the machine.
Solutions:
- Make sure the machine is spawned
- Verify you're connected to HTB network (Pwnbox or OpenVPN)
- Check that you're using the correct IP address
- Wait a minute for the machine to fully boot
"Permission denied" when using nmap
Problem: Nmap needs elevated privileges for some scan types.
Solution: Use sudo:
sudo nmap -sV <target_ip>
Telnet command not found
Problem: Telnet client isn't installed.
Solution: Install it:
- Linux:
sudo apt install telnet(Debian/Ubuntu) orsudo yum install telnet(RHEL/CentOS) - macOS: Usually pre-installed, but can install via Homebrew if needed
- Windows: Enable via "Turn Windows features on or off" β Telnet Client
π Additional Resources
- Nmap Documentation β Complete guide to port scanning
- HTB Meow Machine Page β Official machine page
- Telnet Security Risks β Why telnet is insecure
- HTB Starting Point Guide β Official HTB documentation
π― What's Next?
Now that you've completed Meow, you're ready for the next machine in Tier 0: Fawn.
Fawn will teach you:
- FTP enumeration
- Anonymous access
- File transfer protocols
- Directory traversal basics
But first, make sure you:
- β Successfully completed Meow
- β Understand the basic methodology (recon β enumerate β exploit)
- β
Know how to use
nmapfor port scanning - β Understand why telnet is insecure
π Completion Proof
I successfully completed Meow on June 11, 2025. You can verify the completion here.
Questions about Meow or penetration testing? Reach out directly:
- Email: m1k3@msquarellc.net
- Phone: (559) 670-3159
- Schedule: Book a free consultation
M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice