⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Meow is the very first machine in HackTheBox's Starting Point series. It introduces the most fundamental concept in offensive security: services left open with no authentication. The vector here is Telnet — a legacy remote access protocol that sends everything in plaintext and, when misconfigured, lets you walk straight into a root shell.

Tools: nmap · telnet  ·  Difficulty: Very Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
Port scanning with NmapIdentifying open services is the foundation of every engagement
Telnet enumerationLegacy protocols are still deployed in real environments
Unauthenticated root accessMisconfigured services granting root without credentials are a critical finding
Linux file navigationFinding and reading flag files mirrors real post-exploitation objectives
02 — Reconnaissance

Start with a service version scan across all TCP ports to understand the attack surface.

Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Expected output
PORT STATE SERVICE VERSION 23/tcp open telnet Linux telnetd

What you're seeing: port 23 (Telnet) is open. No SSH, no HTTP — just Telnet. This immediately signals a legacy or deliberately misconfigured system. In a real engagement this would be a critical finding before you even connect.

ℹ  -sC runs default scripts, -sV probes for service versions, -p- scans all 65535 ports. The --min-rate 5000 flag speeds up the scan — fine for HTB labs, be more conservative on real targets.
03 — Exploitation

Connect to the Telnet service. When prompted for a login, try common default and privileged usernames before reaching for any tooling.

Connect via Telnet
telnet 10.129.x.x
Login attempt
Meow login: root #

What happened: the service accepted root with no password. This is a classic misconfiguration — Telnet daemon running as root with no password set, granting immediate shell access to anyone who connects.

⚠  Telnet transmits all data — including credentials — in plaintext. Any attacker on the same network segment can sniff the session with Wireshark or tcpdump. In production environments, Telnet should never be used; SSH is the replacement.
04 — Post-Exploitation & Flag
Find the flag
whoami # root ls /root # flag.txt cat /root/flag.txt
✓ Submit the flag string to complete the machine.
05 — Key Takeaways
ConceptReal-world relevance
Default / no credentialsOne of the most common findings in internal pentests, especially on network devices and IoT
Telnet is plaintextAny credential entered over Telnet can be captured by passive network monitoring
Port 23 in scopeAlways scan all ports — critical services often run on non-standard or legacy ports
Root without exploitThe highest-impact findings often require no CVE — just poor configuration
The most dangerous vulnerabilities are not always the most complex. An open Telnet port with no password is as critical as a remote code execution CVE — both give an attacker full control.