[{"content":" Box info | OS: Ubuntu 20.04.2 LTS | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: TCP basics, Telnet protocol nuances, weak credentials Pwned: 2026-04-26\nTL;DR Meow is HTB\u0026rsquo;s first Starting Point box. One open port (23/tcp — Telnet), root login with an empty password, flag at /root/flag.txt. The interesting lesson isn\u0026rsquo;t the exploit — it\u0026rsquo;s why nc fails to talk to a Telnet server when raw sockets do not, and how to recognise protocols that need negotiation.\nRecon 1. Liveness check $ ping -c 2 10.129.97.185 64 bytes from 10.129.97.185: icmp_seq=0 ttl=63 time=38.298 ms 64 bytes from 10.129.97.185: icmp_seq=1 ttl=63 time=35.418 ms Host is alive. TTL=63 → originally 64 minus one hop, so the OS is Linux (Windows starts from 128, Cisco from 255). ICMP isn\u0026rsquo;t filtered.\n2. Top-100 port sweep $ nmap --top-ports 100 10.129.97.185 PORT STATE SERVICE 23/tcp open telnet Exactly one port open. On a Tier 0 box this is almost always the only attack surface — no need to wait for a full sweep before starting to enumerate.\n3. Full sweep + service detection (background) $ nmap -sV -sC -p- --min-rate 1000 10.129.97.185 PORT STATE SERVICE VERSION 23/tcp open telnet Linux telnetd No surprises. Telnet, full stop.\nFoothold Dead end #1 — raw sockets My first instinct was to skip the client and just talk TCP:\nimport socket s = socket.socket() s.connect((\u0026#39;10.129.97.185\u0026#39;, 23)) print(s.recv(1024)) # blocks → timeout s.send(b\u0026#39;root\\n\u0026#39;) # no echo, no response Nothing. Why? Because Telnet is not raw TCP. Per RFC 854, the server immediately sends IAC DO/DONT/WILL/WONT option-negotiation bytes (terminal type, echo mode, window size, etc.) before any login prompt. Without a client that responds to that handshake, the server waits forever.\nDead end #2 — netcat $ nc 10.129.97.185 23 # connection opens, no I/O Same root cause: nc is byte-pump, not a Telnet client. It refuses to perform option negotiation, the server refuses to give up the prompt. Lesson: nc is great for HTTP/SMTP/raw sockets, but it cannot impersonate protocols that need handshakes.\nWorking approach — Python telnetlib import telnetlib tn = telnetlib.Telnet(\u0026#39;10.129.97.185\u0026#39;, 23, timeout=5) banner = tn.read_until(b\u0026#39;Meow login:\u0026#39;, timeout=5) tn.write(b\u0026#39;root\\n\u0026#39;) print(tn.read_all().decode()) telnetlib (stdlib) implements RFC 854 negotiation properly. Banner returns:\n█ █ ▐▌ ▄█▄ █ ▄▄▄▄ █▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀ █ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█ Meow login: root Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64) root@Meow:~# The server didn\u0026rsquo;t even ask for a password. root is configured with an empty password — which on most distros means \u0026ldquo;any password is accepted\u0026rdquo; or \u0026ldquo;passwordless login allowed\u0026rdquo;, depending on PAM stack.\n(If you don\u0026rsquo;t want to write Python, the canonical client is telnet 10.129.97.185 23 from the telnet package — same outcome, but writing it in telnetlib was instructive.)\nFlag root@Meow:~# cat flag.txt b40abdfe23665f766f9c61ecba8a4c19 What\u0026rsquo;s actually broken This box is intentionally a stack of textbook misconfigurations:\nTelnet exposed on the internet. All traffic — credentials, commands, output — is plaintext. Anyone on the path reads the whole session. Empty root password. Direct violation of every modern hardening standard (CIS, STIG, ISO 27001 control 9.4.3). Direct remote root login allowed. Even if a password existed, remote root over an unencrypted protocol fails on layered defence — both PermitRootLogin and Require encrypted transport should reject this. Remediation (the boring half) Replace Telnet with SSH and disable root login:\napt install -y openssh-server systemctl enable --now ssh systemctl disable --now inetd # or whatever spawns telnetd In /etc/ssh/sshd_config:\nPermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes Lock the root account explicitly:\npasswd -l root Firewall:\nufw default deny incoming ufw allow 22/tcp ufw enable MITRE ATT\u0026amp;CK mapping Tactic Technique How it shows up here Initial Access T1078 — Valid Accounts Logging in as root Execution T1059 — Command and Scripting Interpreter Running cat over the Telnet shell Collection T1005 — Data from Local System Reading /root/flag.txt Lessons learned TTL fingerprints OS family. TTL of 63/64 → Linux/Unix; 127/128 → Windows; 254/255 → Cisco/router/BSD. Always check before deciding flags for nmap. --top-ports 100 first, full sweep in background. Don\u0026rsquo;t block on the slow scan when you can already start enumerating. Some protocols need a handshake. Raw sockets and nc work for HTTP/SMTP/Redis. They fail silently against Telnet/SSH/TLS. When the connection succeeds but you get nothing, consider that the server is waiting on a client-initiated handshake. Try the obvious creds first. root:, root:root, admin:admin. Don\u0026rsquo;t reach for Hydra on a box where the answer is \u0026ldquo;no password\u0026rdquo;. 🤖 AI-assist log Transparency over polish. This is exactly where Claude was in the loop on this box.\nStep What I asked What Claude returned What I changed Raw socket dead end \u0026ldquo;Why does my Python socket send to port 23 timeout?\u0026rdquo; Pointed to RFC 854 Telnet option negotiation. Cited the exact IAC DO/DONT/WILL/WONT byte sequence. Nothing — the explanation was correct and led directly to switching to telnetlib. nc dead end \u0026ldquo;Same Telnet target, nc opens connection but I see nothing — same issue?\u0026rdquo; Confirmed: nc is a raw byte pump, doesn\u0026rsquo;t do Telnet negotiation. Suggested socat or telnet client. Picked telnetlib instead since I wanted Python control. TTL fingerprint \u0026ldquo;TTL=63 from a Linux box — is that always reliable?\u0026rdquo; Caveated: TTL is a hop-decremented heuristic, can be spoofed (Linux net.ipv4.ip_default_ttl=128). Useful as first signal, not proof. Added the caveat into \u0026ldquo;Lessons learned\u0026rdquo;. MITRE mapping \u0026ldquo;Map empty-password Telnet root login to ATT\u0026amp;CK.\u0026rdquo; Suggested T1078 (Valid Accounts) as primary, T1110.001 (Brute Force: Password Guessing) as secondary. Dropped T1110 — there was no guessing, just an empty-string accept. Kept T1078. What Claude got wrong: nothing significant on this box. What Claude couldn\u0026rsquo;t do: actually run the exploit. The agent has no network access to HTB, all execution happens on my local machine. Net assist value: high on the why-explanations (RFC 854, TTL theory), zero on the what-actions (nmap, telnetlib).\nReferences HTB Meow — official box page (login required) RFC 854 — Telnet Protocol Specification MITRE ATT\u0026amp;CK T1078 CIS Ubuntu 20.04 Benchmark — Section 5.2 — exact controls for SSH/root hardening ","permalink":"https://craizy.dev/writeups/meow/","summary":"\u003cblockquote\u003e\n\u003cp\u003e\u003cstrong\u003eBox info\u003c/strong\u003e | OS: Ubuntu 20.04.2 LTS | Difficulty: Very Easy | Tier: 0 | Status: Starting Point\n\u003cstrong\u003eSkills\u003c/strong\u003e: TCP basics, Telnet protocol nuances, weak credentials\n\u003cstrong\u003ePwned\u003c/strong\u003e: 2026-04-26\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003ch2 id=\"tldr\"\u003eTL;DR\u003c/h2\u003e\n\u003cp\u003eMeow is HTB\u0026rsquo;s first Starting Point box. One open port (\u003ccode\u003e23/tcp\u003c/code\u003e — Telnet), \u003ccode\u003eroot\u003c/code\u003e login with an empty password, flag at \u003ccode\u003e/root/flag.txt\u003c/code\u003e. The interesting lesson isn\u0026rsquo;t the exploit — it\u0026rsquo;s \u003cem\u003ewhy\u003c/em\u003e \u003ccode\u003enc\u003c/code\u003e fails to talk to a Telnet server when raw sockets do not, and how to recognise protocols that need negotiation.\u003c/p\u003e","title":"HTB Starting Point — Meow"},{"content":"I\u0026rsquo;m a security researcher building an AI-augmented offensive workflow. Most of my pentest work happens with Claude in the loop — not as a magic oracle, but as a fast research assistant, payload analyst, and methodology critic.\nThis blog exists for three reasons:\nTransparency. Every writeup tells you where AI helped, where AI failed, and what I had to figure out manually. No magic. Methodology over flags. A pwn is just a checkpoint. The interesting question is how the thinking went. Public learning record. This is my white-hat trail — for recruiters, for the Anthropic CVP review, for myself. What you\u0026rsquo;ll find here 🟢 Starting Point — Tier 0–2 walkthroughs. Foundation, not flex. 🔵 Easy / Medium retired machines — real portfolio. 🟣 CTF events (Cyber Apocalypse, Business CTF) — published the day they end. 🤖 AI-assist log in every post — exactly what I asked Claude, what it gave me, what I corrected. Tooling Notes: Obsidian Writeup pipeline: Markdown → Hugo → Caddy on bare-metal Ubuntu AI: Claude Opus 4.7 via Claude Code (CVP-pending) Recon: nmap, ffuf, gobuster, BloodHound, kerbrute, evil-winrm Reporting: SysReptor for cert exams Contact Telegram: @pankratix\n","permalink":"https://craizy.dev/about/","summary":"\u003cp\u003eI\u0026rsquo;m a security researcher building an AI-augmented offensive workflow.\nMost of my pentest work happens \u003cem\u003ewith Claude in the loop\u003c/em\u003e — not as a magic oracle, but as a fast research assistant, payload analyst, and methodology critic.\u003c/p\u003e\n\u003cp\u003eThis blog exists for three reasons:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eTransparency.\u003c/strong\u003e Every writeup tells you where AI helped, where AI failed, and what I had to figure out manually. No magic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMethodology over flags.\u003c/strong\u003e A pwn is just a checkpoint. The interesting question is how the thinking went.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePublic learning record.\u003c/strong\u003e This is my white-hat trail — for recruiters, for the Anthropic CVP review, for myself.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"what-youll-find-here\"\u003eWhat you\u0026rsquo;ll find here\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e🟢 \u003cstrong\u003eStarting Point\u003c/strong\u003e — Tier 0–2 walkthroughs. Foundation, not flex.\u003c/li\u003e\n\u003cli\u003e🔵 \u003cstrong\u003eEasy / Medium retired machines\u003c/strong\u003e — real portfolio.\u003c/li\u003e\n\u003cli\u003e🟣 \u003cstrong\u003eCTF events\u003c/strong\u003e (Cyber Apocalypse, Business CTF) — published the day they end.\u003c/li\u003e\n\u003cli\u003e🤖 \u003cstrong\u003eAI-assist log\u003c/strong\u003e in every post — exactly what I asked Claude, what it gave me, what I corrected.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"tooling\"\u003eTooling\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNotes: Obsidian\u003c/li\u003e\n\u003cli\u003eWriteup pipeline: Markdown → Hugo → Caddy on bare-metal Ubuntu\u003c/li\u003e\n\u003cli\u003eAI: Claude Opus 4.7 via Claude Code (CVP-pending)\u003c/li\u003e\n\u003cli\u003eRecon: nmap, ffuf, gobuster, BloodHound, kerbrute, evil-winrm\u003c/li\u003e\n\u003cli\u003eReporting: SysReptor for cert exams\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"contact\"\u003eContact\u003c/h2\u003e\n\u003cp\u003eTelegram: \u003ca href=\"https://t.me/pankratix\"\u003e@pankratix\u003c/a\u003e\u003c/p\u003e","title":"About"}]