What HTB does is, after you complete the lab, they give you a quiz on what you’ve done. This is designed to help you understand and retain the information provided in the write-ups and video walkthroughs for future use. ʕᵔᴥᵔʔ

It’s important to have an understanding of what has been done and what the terms mean, as this knowledge lays the foundation for penetration testing.  ʕ˶´• ᴥ •`˶ʔ 

Q1. What does the acronym VM stand for?

Answer : Virtual Machine

A VM (Virtual Machine) is essentially a software-based emulation of a physical machine, allowing you to run multiple operating systems concurrently on a single computer, such as the Linux system provided by HTB.

A VM is very important within penetration testing as it gives us a secure, isolated environment that enables you to conduct security tests and explore vulnerabilities without putting your system or network at risk.

Q2. What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell.

Answer: Terminal

The terminal shown here is the one I used, called “Parrot Terminal,” but you’re not limited to using it. You can also use PowerShell or any other terminal you have access to. The main reason terminals are used is that they provide direct access to system commands and tools, enabling faster and more accurate execution. This efficiency makes it easier to gather information about the target and identify its vulnerabilities.

Q3. What service do we use to form our VPN connection into HTB labs?

Answer : OpenVPN

This question is more specific to what the HTB labs use, but you can use any VPN to connect to your VM. It’s important to have a VPN to hide your identity and location. Like you wanting to compromise an IP address, others can do the same to yours. 

Q4. What tool do we use to test our connection to the target with an ICMP echo request?

Answer : Ping

Remember the Ping command we did in the labs? That’s what the question is asking here. 

To understand it, we first need to clarify what an ICMP echo request is. ICMP stands for Internet Control Message Protocol, and it’s used for error reporting and network diagnostics, typically operating at the network layer (Layer 3) of the OSI model.

When you run the ping command in your terminal with a target IP address, it sends an echo request, essentially asking the target to respond. If the target replies, that means the IP address is reachable. The ping command also shows how long it takes for the request to travel to and from the target.

Now let’s understand the information given by our ping command.

(https://linuxjourney.com/lesson/ping)

* If we pinged a website url, the DNS would have to convert the name to their corresponding IP address. We didn’t do that in this case.

** data padding is extra bits or a place for them to meet some requirement besides the intended data.

ctrl^c is the shortcut to stop the command

Remember this is the first step within Enumeration.

Q5. What is the name of the most common tool for finding open ports on a target?

Answer : nmap

Nmap was a tool introduced to us in the Meow lab. This was used after pinging the target, marking the second step in our enumeration process. Nmap, which stands for “Network Mapper,” is an open-source tool for network discovery and security auditing. We used it by running the command ‘sudo nmap -sV {ip_address}

(-sV flag for service detection, giving us more details about the services the target is using.)

For our example, we can identify the port that’s in use on the network, the status, service and version.

Just knowing that a port is open may not be enough. Having the -sV flag  provides additional details, such as the service version, allowing us to conduct further research.  For example, if it’s an older version, there might be some vulnerabilities already discovered that we can exploit. Reason why we always update our software (I say being a proud Windows 10 user in 2025).

Q6. What service do we identify on port 23/tcp during our scans?

Answer: telnet

From the screenshot in the previous question, we can see that port 23/tcp was a port that was open, next to it it says ‘telnet’. Even if we didn’t have that information there, we could also do a quick google search about it. 

We can see port 23 is telnet, which is a default port in TCP. We also know its remote access cli tool is outdated, so it’s full of vulnerabilities.

Q7. What username is able to log into the target over telnet with a blank password?

Answer: root

With the meow exercise, we had to ‘crack’ the password as the telnet’s security measure is a username/ password combo. Using common usernames such as ‘admin’ and ‘administrator’, root had worked, without the end for a password. This message then loaded up and how we could explore the directory

Q8. Submit root flag

Answer : 

To submit the flag to any HTB lab, is to find the ‘flag.txt’. In this case, it was hiding within its directory. 

Using the command ‘cat flag.txt’ it would output the contents into the terminal

And that’s it! Next the HTB lab would be the Fawn, which focuses on FTP, reconnaissances and types of access. Now let’s code ‘em all! ʕ -ᴥ•ʔ♡