Skip to content
Startseite » HackMyVM Venus Walkthrough 3/5

HackMyVM Venus Walkthrough 3/5

The third blog post about the HackMyVM.eu platform is all about the levels 21 – 30 of the Venus Lab.

Now, if you’re wondering what HackMyVM and the Venus Lab are, I recommend starting with the first post in the series:
HackMyVM Venus Walkthroug 1/5.

In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials on https://hackmyvm.eu/venus/

HackMyVM Venus
HackMyVM.eu Venus Lab

Level 21

Mission: User eloise has saved her password in a particular way.

Here the password to the next level is in the file eloise. If you have done some CTFs and look at the content of the file, you will quickly see that the data is Base64 encoded. So let’s have a look what this data is:

cat eloise | base64 -d

It looks very much like a PDF file. Since we can’t easily view the contents of the file on the remote system, we simply copy the Base64-encoded contents of the file ‘eloise’ to the clipboard, create a new file ‘eloise’ locally and paste the copied data in there.

We then repeat the process we already performed on the remote system, but redirect the output to the ‘eloise.pdf’ file:

cat eloise | base64 -d > eloise.pdf

The PDF contains the password for the next level

Level 22

Mission: User lucia has been creative in saving her password.

Lucia has creatively stored her password in the file hi. Let’s see what is in the file:

cat hi
00000000: 7576 4d77 4644 5172 5157 504d 6547 500a

This looks very much like a hex dump. Fortunately, there is a Linux command line tool that we can use to convert the hex dump back:

cat hi | xxd -r

The password for the next level is right on your screen.

Level 23

Mission: The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.

To get Isabel’s password and thus the password for the next level, we need to find a file in the directory ‘/etc/xdg’, but we don’t know the name of it. But we know that the name of the file is in the file ‘dict.txt’. Here again bash scripting can help us:

while IFS= read -r line; do cat /etc/xdg/$line; done < dict.txt 2>/dev/null

We read the file ‘dict.txt’ line by line and try to output the corresponding file with cat. We redirect error messages to ‘/dev/null’. Thus we get the password for the next level.

Level 24

Mission: The password of the user freya is the only string that is not repeated in different.txt

In order to get the password, we need to look at the ‘different.txt’ file and find the only line that does not repeat. Fortunately, there is a command line tool called uniq for exactly this purpose:

uniq -u different.txt

With the -u option we specify that we only want to output lines that do not repeat.

Level 25

Mission: User alexa puts her password in a .txt file in /free every minute and then deletes it.

So every minute a text file is created in the folder ‘/free’ which contains the password and is deleted shortly after.

With a small bash script this level is quickly solved. First we create a directory in the ‘/tmp’ folder, because we have write permissions there:

mkdir /tmp/free

And next, a little one-liner that looks into the directory ‘/free’ for a minute, and copies all the files that are in the directory to ‘/tmp/free’. After that we have all the time in the world to look at what our script found:

end=$((SECONDS+60)); while [ $SECONDS -lt $end ]; do cp -RT /free /tmp/free; done

ls /tmp/free
beer.txt

So the password for the next level is in the file ‘/tmp/free/beer.txt’.

Level 26

Mission: The password of the user ariel is online! (HTTP)

This level is again very simple. We only have to send a request to http://localhost with curl:

curl http://localhost

Level 27

Mission: Seems that ariel dont save the password for lola, but there is a temporal file.

Because the last level was so simple, here again something more complicated. First of all, let’s see what files are in the home directory:

ls -la

drwxr-x--- 2 root  ariel  4096 Apr  7 05:56 .
drwxr-xr-x 1 root  root   4096 Apr  7 05:55 ..
-rw-r--r-- 1 ariel ariel   220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 ariel ariel  3526 Aug  4  2021 .bashrc
-rw-r----- 1 root  ariel 12288 Apr  7 05:56 .goas.swp
-rw-r--r-- 1 ariel ariel   807 Aug  4  2021 .profile
-rw-r----- 1 root  ariel    31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  ariel   254 Apr  7 05:55 mission.txt

The mission text mentions a temporary file. This is probably the ‘.goas.swp’ file.
‘.swp’ files are created by the text editor VIM as a backup. To restore the file, we create a temporary directory ‘tmp/vim’ and start VIM:

mkdir /tmp/vim
vim goas

VIM asks us how we want to open the file. We decide to use the (R)ecover option. Next we are asked which file should be recovered. We choose the last file in the list (7).
Our file with passwords is recovered. We now save the file with the command :w /tmp/vim/goas in our previously created temporary directory and exit VIM with the command :q!

Now we copy the content of the newly created file into the clipboard and create a new file ‘lola.txt’ locally on our computer, into which we paste the content of the clipboard.

Now we can conveniently use hydra to try through which password is valid for the user ‘lola’:

hydra -l lola -P lola.txt ssh://venus.hackmyvm.eu:5000

Level 28

Mission: The user celeste has left a list of names of possible .html pages where to find her password.

Here we have to send requests with curl to http://localhost again, but this time we have to send the request to a specific HTML page. Since it would take too long to go through each line of the file ‘pages.txt’ by hand, we write ourselves again a small bash script:

while IFS= read -r line; do curl "http://localhost/$line.html" -sf; done < pages.txt

After a short time we have the password for the next level.

Level 29

Mission: The user celeste has access to mysql but for what?

So Celeste has access to a MySQL database. Then let’s have a look at the database. As password we simply take the last password:

mysql -u celeste -p
Enter password:
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| venus              |
+--------------------+
MariaDB [(none)]> use venus;
MariaDB [(none)]> show tables;
+-----------------+
| Tables_in_venus |
+-----------------+
| people          |
+-----------------+
MariaDB [(none)]> select * from people;

With the last command we get the content of the table ‘people’. Take a close look at the table, because not only the password for the next level is hidden there, but also one of the hidden flags.

To know which user password to look for, it is worth looking in the file ‘/etc/passwd’. You will find the user of the next level under the user of the current level. With this info it is easy to find the next password.

Level 30

MIssion: The user kira is hidding something in http://localhost/method.php

You can get the password for the user kira, and thus for the next level, by sending a request to http://localhost/method.php using a certain HTTP method.

Information about which methods are available can be found at https://developer.mozilla.org/de/docs/Web/HTTP/Methods Here is a spoiler: try them all, maybe you will find a hidden flag 😉

Just replace ‘???’ with the method you want to use. Attention, HEAD does not work with this. For this you can simply use curl -I http://localhost/method.php.

curl -X ??? http://localhost/method.php

These were the levels 21 – 30 of the Venus Lab on HackMyVM.eu
I hope I could help you with one or the other level.

Leave a Reply

Your email address will not be published. Required fields are marked *