This is the second post to the HackMyVM.eu platform, where I want to help you solve the levels 11 – 20 of the Venus Lab.
If you want to know more about HackMyVM.eu and the Venus Lab, check out my first post in the series on HackMyVM.
In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/
Mission: The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password)
The password for Lucy is in the file ‘end’ and is on the line ending with ‘0JuAZ’. To get the password, we simply use
cat to print the contents of ‘end’ and pipe them to
grep with the regular expression 0JuAZ$. The dollar sign indicates that we are looking for a string ending with the characters before the dollar sign.
cat end | grep 0JuAZ$
Now you have the credentials for the next level. But don’t forget that the string ‘0JuAZ’ is not part of the password.
Mission: The password of the user elena is between the characters fu and ck
So the password for the next level is between ‘fu’ and ‘ck’. Very funny. Again, grep in conjunction with a regular expression helps us out. Then let’s see what the regular expression might look like:
- We are looking for a string that starts with ‘fu’. The expression for this is ^fu
- Next comes any number of arbitrary characters. The expression for this is .*
- The string should end with ‘ck’ so the expression for this is ck$
Everything together looks like this:
cat file.yo | grep ^fu.*ck$
Now you have the password for the next level. Remember that the ‘fu’ at the beginning and the ‘ck’ at the end are not part of the password.
Mission: The user alice has her password is in an environment variable.
To get the password for the next level, we just need to print the environment variables. The PASS variable contains the password.
printenv | grep PASS
Mission: The admin has left the password of the user anna as a comment in the file passwd.
So the password is in the file /etc/passwd. Since the file is quite long, let’s have a look at the line of the current user 😉
cat /etc/passwd | grep alice
Mission: Maybe sudo can help you to be natalia.
Sudo can help us become natalia according to the mission description. Then let’s try the -u option and specify natalia as the user. We also want to run
bash as a the command:
sudo -u natalia /bin/bash whoami natalia cd ~
Well, that worked out great.
Mission: The password of user eva is encoded in the base64.txt file.
The password for the next level is in the file ‘base64.txt’ and is encoded. The name of the file suggests that the password is base64 encoded, so we use the
base64 command with the -d option to decode it.
cat base64.txt | base64 -d
Mission: The password of the clara user is found in a file modified on May 1, 1968.
So the password is in a file that was changed on May 1, 1968.
Here we can use the find command with the -newermt option. However, since Linux works with Epoch Unix timestamps and they don’t start until 01/01/1970, we can’t search for files that were changed in 1968. Instead, we display all files that were changed before 01/02/1970:
find / -type f ! -newermt 1970-01-02 -ls 2>/dev/null 403708 4 -rw-r--r-- 1 root root 16 Jan 1 1970 /usr/lib/cmdo cat /usr/lib/cmdo
Mission: The password of user frida is in the password-protected zip (rockyou.txt can help you).
This level is a bit more complicated. First we have to download the password protected zip archive to our PC and then crack it with JohnTheRipper. Fortunately, both JohnTheRipper and the password file rockyou.txt are included in both Kali and ParrotOS.
As a first step, we use the command line tool
sftp to download the archive to our PC.
sftp -P 5000 firstname.lastname@example.org get protected.zip Fetching /pwned/clara/protected.zip to protected.zip /pwned/clara/protected.zip
Next, we need to create a hash from the zip archive that JohnTheRipper can work with:
zip2john protected.zip > hash.txt
Now that we have the hash file, we can use JohnTheRipper with the rockyou.txt wordlist to crack the password:
john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status pass123 (protected.zip/pwned/clara/protected.txt) 1g 0:00:00:00 DONE (2022-04-02 18:50) 25.00g/s 204800p/s 204800c/s 204800C/s 123456..whitetiger Use the "--show" option to display all of the cracked passwords reliably Session completed
So the password for the zip archive is pass123 – with this we can now unpack the archive and output the password:
unzip protected.zip Archive: protected.zip [protected.zip] pwned/clara/protected.txt password: extracting: pwned/clara/protected.txt cat pwned/clara/protected.txt
Mission: The password of eliza is the only string that is repeated (unsorted) in repeated.txt.
This level can be solved again with a single command. The password is the string that occurs multiple times in the specified file. To filter this out, we can use the
uniq command with the -d option
uniq -d repeated.txt
MIssion: The user iris has left me her key.
In this level the user iris kindly left a ssh-key.
So first display all files:
ls -la total 32 drwxr-x--- 2 root eliza 4096 Feb 24 11:48 . drwxr-xr-x 55 root root 4096 Feb 24 11:47 .. -rw-r--r-- 1 eliza eliza 220 Aug 4 2021 .bash_logout -rw-r--r-- 1 eliza eliza 3526 Aug 4 2021 .bashrc -rw-r----- 1 root eliza 2602 Feb 24 11:48 .iris_key -rw-r--r-- 1 eliza eliza 807 Aug 4 2021 .profile -rw-r----- 1 root eliza 31 Feb 24 11:47 flagz.txt -rw-r----- 1 root eliza 143 Feb 24 11:47 mission.txt
The file ‘.iris_key’ looks promising:
ssh -i .iris_key iris@localhost
These were the levels 11 – 20 of the Venus Lab on HackMyVM.eu
I hope that one or the other has helped you further.