This is the second post to the HackMyVM.eu platform, where I want to help you solve the levels 11 – 20 of the Venus Lab.
If you want to know more about HackMyVM.eu and the Venus Lab, check out my first post in the series on HackMyVM.
In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/

Level 11
Mission: The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password)
The password for Lucy is in the file ‘end’ and is on the line ending with ‘0JuAZ’. To get the password, we simply use cat
to print the contents of ‘end’ and pipe them to grep
with the regular expression 0JuAZ$. The dollar sign indicates that we are looking for a string ending with the characters before the dollar sign.
cat end | grep 0JuAZ$
Now you have the credentials for the next level. But don’t forget that the string ‘0JuAZ’ is not part of the password.
Level 12
Mission: The password of the user elena is between the characters fu and ck
So the password for the next level is between ‘fu’ and ‘ck’. Very funny. Again, grep in conjunction with a regular expression helps us out. Then let’s see what the regular expression might look like:
- We are looking for a string that starts with ‘fu’. The expression for this is ^fu
- Next comes any number of arbitrary characters. The expression for this is .*
- The string should end with ‘ck’ so the expression for this is ck$
Everything together looks like this:
cat file.yo | grep ^fu.*ck$
Now you have the password for the next level. Remember that the ‘fu’ at the beginning and the ‘ck’ at the end are not part of the password.
Level 13
Mission: The user alice has her password is in an environment variable.
To get the password for the next level, we just need to print the environment variables. The PASS variable contains the password.
printenv | grep PASS
Level 14
Mission: The admin has left the password of the user anna as a comment in the file passwd.
So the password is in the file /etc/passwd. Since the file is quite long, let’s have a look at the line of the current user 😉
cat /etc/passwd | grep alice
Level 15
Mission: Maybe sudo can help you to be natalia.
Sudo
can help us become natalia according to the mission description. Then let’s try the -u option and specify natalia as the user. We also want to run bash
as a the command:
sudo -u natalia /bin/bash
whoami
natalia
cd ~
Well, that worked out great.
Level 16
Mission: The password of user eva is encoded in the base64.txt file.
The password for the next level is in the file ‘base64.txt’ and is encoded. The name of the file suggests that the password is base64 encoded, so we use the base64
command with the -d option to decode it.
cat base64.txt | base64 -d
Level 17
Mission: The password of the clara user is found in a file modified on May 1, 1968.
So the password is in a file that was changed on May 1, 1968.
Here we can use the find command with the -newermt option. However, since Linux works with Epoch Unix timestamps and they don’t start until 01/01/1970, we can’t search for files that were changed in 1968. Instead, we display all files that were changed before 01/02/1970:
find / -type f ! -newermt 1970-01-02 -ls 2>/dev/null
403708 4 -rw-r--r-- 1 root root 16 Jan 1 1970 /usr/lib/cmdo
cat /usr/lib/cmdo
Level 18
Mission: The password of user frida is in the password-protected zip (rockyou.txt can help you).
This level is a bit more complicated. First we have to download the password protected zip archive to our PC and then crack it with JohnTheRipper. Fortunately, both JohnTheRipper and the password file rockyou.txt are included in both Kali and ParrotOS.
As a first step, we use the command line tool sftp
to download the archive to our PC.
sftp -P 5000 clara@venus.hackmyvm.eu
get protected.zip
Fetching /pwned/clara/protected.zip to protected.zip
/pwned/clara/protected.zip
Next, we need to create a hash from the zip archive that JohnTheRipper can work with:
zip2john protected.zip > hash.txt
Now that we have the hash file, we can use JohnTheRipper with the rockyou.txt wordlist to crack the password:
john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass123 (protected.zip/pwned/clara/protected.txt)
1g 0:00:00:00 DONE (2022-04-02 18:50) 25.00g/s 204800p/s 204800c/s 204800C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
So the password for the zip archive is pass123 – with this we can now unpack the archive and output the password:
unzip protected.zip
Archive: protected.zip
[protected.zip] pwned/clara/protected.txt password:
extracting: pwned/clara/protected.txt
cat pwned/clara/protected.txt
Level 19
Mission: The password of eliza is the only string that is repeated (unsorted) in repeated.txt.
This level can be solved again with a single command. The password is the string that occurs multiple times in the specified file. To filter this out, we can use the uniq
command with the -d option
uniq -d repeated.txt
Level 20
MIssion: The user iris has left me her key.
In this level the user iris kindly left a ssh-key.
So first display all files:
ls -la
total 32
drwxr-x--- 2 root eliza 4096 Feb 24 11:48 .
drwxr-xr-x 55 root root 4096 Feb 24 11:47 ..
-rw-r--r-- 1 eliza eliza 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 eliza eliza 3526 Aug 4 2021 .bashrc
-rw-r----- 1 root eliza 2602 Feb 24 11:48 .iris_key
-rw-r--r-- 1 eliza eliza 807 Aug 4 2021 .profile
-rw-r----- 1 root eliza 31 Feb 24 11:47 flagz.txt
-rw-r----- 1 root eliza 143 Feb 24 11:47 mission.txt
The file ‘.iris_key’ looks promising:
ssh -i .iris_key iris@localhost
These were the levels 11 – 20 of the Venus Lab on HackMyVM.eu
I hope that one or the other has helped you further.