Meow is the very first machine in HackTheBox's Starting Point series. It introduces the most fundamental concept in offensive security: services left open with no authentication. The vector here is Telnet — a legacy remote access protocol that sends everything in plaintext and, when misconfigured, lets you walk straight into a root shell.
| Skill | Why it matters |
|---|---|
| Port scanning with Nmap | Identifying open services is the foundation of every engagement |
| Telnet enumeration | Legacy protocols are still deployed in real environments |
| Unauthenticated root access | Misconfigured services granting root without credentials are a critical finding |
| Linux file navigation | Finding and reading flag files mirrors real post-exploitation objectives |
Start with a service version scan across all TCP ports to understand the attack surface.
What you're seeing: port 23 (Telnet) is open. No SSH, no HTTP — just Telnet. This immediately signals a legacy or deliberately misconfigured system. In a real engagement this would be a critical finding before you even connect.
Connect to the Telnet service. When prompted for a login, try common default and privileged usernames before reaching for any tooling.
What happened: the service accepted root with no password. This is a classic misconfiguration — Telnet daemon running as root with no password set, granting immediate shell access to anyone who connects.
| Concept | Real-world relevance |
|---|---|
| Default / no credentials | One of the most common findings in internal pentests, especially on network devices and IoT |
| Telnet is plaintext | Any credential entered over Telnet can be captured by passive network monitoring |
| Port 23 in scope | Always scan all ports — critical services often run on non-standard or legacy ports |
| Root without exploit | The highest-impact findings often require no CVE — just poor configuration |
The most dangerous vulnerabilities are not always the most complex. An open Telnet port with no password is as critical as a remote code execution CVE — both give an attacker full control.
