Part of the OSAI Prep series → — HTB writeups mapped to OWASP LLM Top 10.
Machine Summary
| Field | Value |
|---|---|
| Platform | HackTheBox |
| Difficulty | Very Easy |
| OS | Linux |
| Vulnerability | Telnet root login with blank password |
| OWASP Mapping | A07 — Identification and Authentication Failures |
Reconnaissance
We start with a service scan:
nmap -sC -sV 10.129.2.211One open port: Telnet on port 23. Telnet is an unencrypted remote access protocol — no TLS, credentials in plaintext, considered insecure since the mid-90s. Its presence on a public-facing machine in 2026 is itself a finding.
We connect directly:
telnet 10.129.2.211A login prompt appears. We test common default usernames — admin, administrator, root — with blank passwords. root with no password succeeds immediately.
Privilege Escalation
Not required. The root account had no password. Initial access was full system access.
Root Cause
Two failures combined:
- Telnet exposed on a public interface. An unencrypted, legacy protocol serving as the remote access method for a production system.
- Root account with a blank password. The most privileged account on the system had no authentication requirement whatsoever.
Neither failure is subtle. Both are detectable by any basic security scan. Together, they hand an attacker the keys to the system with a single command.
The AI Equivalent
OWASP LLM Top 10 Mapping: LLM07 — Insecure Plugin Design
The Telnet-blank-root pattern maps precisely to MCP servers and AI agent orchestration endpoints deployed without authentication.
When you run an MCP server over stdio, it inherits your local OS session — there’s no separate auth layer because there doesn’t need to be; it’s local. The moment you expose that server over a network transport (HTTP, SSE, TCP) without adding authentication, you’ve recreated Meow: a powerful interface with no credentials required. Any client that can reach the port gets full access to every tool the server exposes — file reads, web fetches, code execution, database queries, shell commands.
The blank root password and the missing Authorization header are structurally identical decisions. One exposes the operating system. The other exposes everything the AI agent is authorized to do on your behalf.
This isn’t hypothetical. LangServe instances, local Ollama deployments, and MCP servers spun up for development get exposed on cloud VMs — either accidentally through misconfigured security groups, or deliberately as part of a multi-agent setup where the developer assumed the network was trusted. The assumption is wrong. The tool interface has no credential gate. Anyone who can connect is root.
MCP tools are plugins. An MCP server without authentication is a plugin with no credential check at the design level — not a misconfiguration, but a missing control. The spec supports authentication; the implementation often skips it.
Lessons Learned
- Never expose Telnet to the internet. Use SSH with key-based authentication. There is no legitimate reason to run Telnet on an internet-accessible host in 2026.
- Disable direct root login over remote protocols. Even with SSH,
PermitRootLogin noforces attackers to escalate from a non-root account — adding a layer. - Enforce password policies at the OS level. A blank password on any account should be impossible in production. PAM configurations can enforce this.
- Authenticate MCP and agent tool endpoints at the transport layer. If an MCP server is reachable over a network, it needs authentication — API key, mTLS, or token-based auth — before any tool invocation is permitted. Default open is default exploitable.