Today I will introduce you to the platform HackMyVM.eu and would like to help you to solve the first 10 levels of the Venus Lab.
HackMyVM.eu is a platform with VMs that you can download and hack offline (as the name of the site suggests), classic CTF challenges, and two online labs (Venus and Hades).
The Venus Lab from HackMyVM is aimed at beginners who do not have too much experience with the Linux console. However, there are also a few tasks that can be a bit tricky for an absolute novice in this area.
In order to hack your way through the Lab, you must first create a HackMyVM account. This is completely free and you only need to enter an email address.
After registration, simply open a terminal and connect to the lab with ssh. You can find the credentials for the SSH login at https://hackmyvm.eu/venus/
Mission: User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.
To display all files in a directory, Linux provides the
ls command. However, this command does not display hidden files by default. However, if you call the command with the -a option, hidden files are also displayed. The -l option prints the result as a list. I almost always use this option.
ls -la drwxr-x--- 2 root hacker 4096 Feb 24 11:50 . drwxr-xr-x 55 root root 4096 Feb 24 11:47 .. -rw-r----- 1 root hacker 31 Feb 24 11:50 ... -rw-r--r-- 1 hacker hacker 220 Aug 4 2021 .bash_logout -rw-r--r-- 1 hacker hacker 3526 Aug 4 2021 .bashrc -rw-r----- 1 root hacker 16 Feb 24 11:47 .myhiddenpazz -rw-r--r-- 1 hacker hacker 807 Aug 4 2021 .profile -rw-r----- 1 root hacker 287 Feb 24 11:47 mission.txt -rw-r----- 1 root hacker 2542 Feb 24 11:47 readme.txt
Now all files in the current directory are listed here. The files with the dot at the beginning are hidden files, which would not appear with an ls without -a.
Now to display the contents of the file ‘.myhiddenpazz’ we use the
And here we have the password for the user ‘sophia’.
To change the user, just use the
su command followed by the username you want to change to.
su sophia Password:
You will be prompted to enter the password of the desired user. If everything worked, you are logged in as the desired user and can change to the user’s home directory with a
cd ~. Here you will find a file called ‘flagz.txt’ with a flag that you can enter at https://hackmyvm.eu/venus/flagz.php to confirm that you have solved this level (as mentioned above, you can use the
cat command to display the contents of a file). You can then find the mission description for the next level in the ‘mission.txt’ file in the current home directory.
Additionally, there is another hidden file in the home directory of the user hacker. Remember hidden files begin with a dot … In that file you will find an extra hidden flag which you can enter at the ‘flagz’ side on hackmyvm.eu!
I have described the first level relatively detailed. I will abbreviate the matter in the following levels. If anything is unclear, feel free to point it out to me using the comment function.
Mission: The user angela has saved her password in a file but she does not remember where … she only remembers that the file was called whereismypazz.txt
As the mission text mentioned we need to find a file ‘whereismypazz.txt’. For this we have the
find command. This has some useful options. Here we use the -name option.
find / -name "whereismypazz.txt" 2>/dev/null /usr/share/whereismypazz.txt
The first ‘/’ specifies where to search, namely in the root directory, starting from the beginning. The -name option is self-explanatory and the ‘2>/dev/null’ is there to suppress possible error messages. 2 is the standard error output, which is redirected to /dev/null with >.
Now you have the file containing the password for the next user.
Mission: The password of the user emma is in line 4069 of the file findme.txt
Here we use the
sed command to print line 4069 of the file ‘findme.txt’.
sed -n '4069p' findme.txt
You have the next password.
Mission: User mia has left her password in the file -.
Since we can’t pass the filename ‘-‘ to the
cat command, because options are prefixed with a ‘-‘ and cat thus can’t recognize this name as such, we have to trick it a bit. We simply tell cat to look for the file in the current directory. We can do this by prefixing the filename with the string ‘./’. So the complete command is
Mission: It seems that the user camila has left her password inside a folder called hereiam
Here we can work with the method from level 2 in combination with the method from level 1:
find / -name "hereiam" 2>/dev/null /opt/hereiam ls -la /opt/hereiam total 12 drwxr-xr-x 2 root root 4096 Feb 24 11:47 . drwxr-xr-x 1 root root 4096 Feb 24 11:47 .. -rw-r--r-- 1 root root 16 Feb 24 11:47 .here cat /opt/hereiam/.here
Mission: The user luna has left her password in a file inside the muack folder.
Again we can work with the
find command. This time, however, with the option ‘-type f’ which explicitly searches for files and does not output directories.
find ./muack -type f ./muack/111/111/muack cat ./muack/111/111/muack
Mission: The user eleanor has left her password in a file that occupies 6969 bytes.
Again we can use the
find command. This time with the option ‘-size’, where we append a ‘c’ to the file size, because otherwise
find would search for 6969 blocks not for 6969 bytes.
find / -size 6969c 2>/dev/null /usr/share/man/man1/h2xs.1.gz /usr/share/moon.txt cat /usr/share/moon.txt
find has found two files with the corresponding size. Since we do not assume that the password file is compressed, we first try to output the contents of the ‘.txt’ file and thus get the password for the next user.
Mission: The user victoria has left her password in a file in which the owner is the user violin.
Again a use case for the
find command. This time with the -user option
find / -user violin 2>/dev/null /usr/local/games/yo cat /usr/local/games/yo
Mission: The user isla has left her password in a zip file.
To unzip a zip file we need to have write permissions for the destination. Since we don’t have write permissions in the current home directory we create a temporary folder inside the ‘/tmp’ folder.
mkdir /tmp/1234 unzip passw0rd.zip -d /tmp/1234 Archive: passw0rd.zip extracting: /tmp/1234/pwned/victoria/passw0rd.txt cat /tmp/1234/pwned/victoria/passw0rd.txt
MIssion: The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.).
Here a new very important command comes into play, the
grep command. This is used to search for certain strings or regular expressions. Here we also use a regular expression. We are looking for a string that starts with ‘a9HFX’. For this we use the ^ character, which marks the start of a string. We also use the | character (AltGr + < on german keyboard layout) to redirect (aka ‘pipe’) the output of the
cat command to the input of the
cat passy | grep ^a9HFX
Make sure that the password starts after the search string.