Skip to content
Startseite » HackMyVM Venus Walkthrough 2/5

HackMyVM Venus Walkthrough 2/5

This is the second post to the HackMyVM.eu platform, where I want to help you solve the levels 11 – 20 of the Venus Lab.

If you want to know more about HackMyVM.eu and the Venus Lab, check out my first post in the series on HackMyVM.

In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/

HackMyVM Venus
HackMyVM.eu Venus Lab

Level 11

Mission: The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password)

The password for Lucy is in the file ‘end’ and is on the line ending with ‘0JuAZ’. To get the password, we simply use cat to print the contents of ‘end’ and pipe them to grep with the regular expression 0JuAZ$. The dollar sign indicates that we are looking for a string ending with the characters before the dollar sign.

cat end | grep 0JuAZ$

Now you have the credentials for the next level. But don’t forget that the string ‘0JuAZ’ is not part of the password.

Level 12

Mission: The password of the user elena is between the characters fu and ck

So the password for the next level is between ‘fu’ and ‘ck’. Very funny. Again, grep in conjunction with a regular expression helps us out. Then let’s see what the regular expression might look like:

  1. We are looking for a string that starts with ‘fu’. The expression for this is ^fu
  2. Next comes any number of arbitrary characters. The expression for this is .*
  3. The string should end with ‘ck’ so the expression for this is ck$

Everything together looks like this:

cat file.yo | grep ^fu.*ck$

Now you have the password for the next level. Remember that the ‘fu’ at the beginning and the ‘ck’ at the end are not part of the password.

Level 13

Mission: The user alice has her password is in an environment variable.

To get the password for the next level, we just need to print the environment variables. The PASS variable contains the password.

printenv | grep PASS

Level 14

Mission: The admin has left the password of the user anna as a comment in the file passwd.

So the password is in the file /etc/passwd. Since the file is quite long, let’s have a look at the line of the current user 😉

cat /etc/passwd | grep alice

Level 15

Mission: Maybe sudo can help you to be natalia.

Sudo can help us become natalia according to the mission description. Then let’s try the -u option and specify natalia as the user. We also want to run bash as a the command:

sudo -u natalia /bin/bash
whoami
natalia
cd ~

Well, that worked out great.

Level 16

Mission: The password of user eva is encoded in the base64.txt file.

The password for the next level is in the file ‘base64.txt’ and is encoded. The name of the file suggests that the password is base64 encoded, so we use the base64 command with the -d option to decode it.

cat base64.txt | base64 -d

Level 17

Mission: The password of the clara user is found in a file modified on May 1, 1968.

So the password is in a file that was changed on May 1, 1968.
Here we can use the find command with the -newermt option. However, since Linux works with Epoch Unix timestamps and they don’t start until 01/01/1970, we can’t search for files that were changed in 1968. Instead, we display all files that were changed before 01/02/1970:

find / -type f ! -newermt 1970-01-02 -ls 2>/dev/null
403708      4 -rw-r--r--   1 root     root           16 Jan  1  1970 /usr/lib/cmdo
cat /usr/lib/cmdo

Level 18

Mission: The password of user frida is in the password-protected zip (rockyou.txt can help you).

This level is a bit more complicated. First we have to download the password protected zip archive to our PC and then crack it with JohnTheRipper. Fortunately, both JohnTheRipper and the password file rockyou.txt are included in both Kali and ParrotOS.

As a first step, we use the command line tool sftp to download the archive to our PC.

sftp -P 5000 clara@venus.hackmyvm.eu
get protected.zip 
Fetching /pwned/clara/protected.zip to protected.zip
/pwned/clara/protected.zip

Next, we need to create a hash from the zip archive that JohnTheRipper can work with:

zip2john protected.zip > hash.txt

Now that we have the hash file, we can use JohnTheRipper with the rockyou.txt wordlist to crack the password:

john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass123          (protected.zip/pwned/clara/protected.txt)
1g 0:00:00:00 DONE (2022-04-02 18:50) 25.00g/s 204800p/s 204800c/s 204800C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So the password for the zip archive is pass123 – with this we can now unpack the archive and output the password:

unzip protected.zip 
Archive:  protected.zip
[protected.zip] pwned/clara/protected.txt password:
 extracting: pwned/clara/protected.txt

cat pwned/clara/protected.txt

Level 19

Mission: The password of eliza is the only string that is repeated (unsorted) in repeated.txt.

This level can be solved again with a single command. The password is the string that occurs multiple times in the specified file. To filter this out, we can use the uniq command with the -d option

uniq -d repeated.txt

Level 20

MIssion: The user iris has left me her key.

In this level the user iris kindly left a ssh-key.
So first display all files:

ls -la
total 32
drwxr-x---  2 root  eliza 4096 Feb 24 11:48 .
drwxr-xr-x 55 root  root  4096 Feb 24 11:47 ..
-rw-r--r--  1 eliza eliza  220 Aug  4  2021 .bash_logout
-rw-r--r--  1 eliza eliza 3526 Aug  4  2021 .bashrc
-rw-r-----  1 root  eliza 2602 Feb 24 11:48 .iris_key
-rw-r--r--  1 eliza eliza  807 Aug  4  2021 .profile
-rw-r-----  1 root  eliza   31 Feb 24 11:47 flagz.txt
-rw-r-----  1 root  eliza  143 Feb 24 11:47 mission.txt

The file ‘.iris_key’ looks promising:

ssh -i .iris_key iris@localhost

These were the levels 11 – 20 of the Venus Lab on HackMyVM.eu
I hope that one or the other has helped you further.

Leave a Reply

Your email address will not be published. Required fields are marked *