The third blog post about the HackMyVM.eu platform is all about the levels 21 – 30 of the Venus Lab.
Now, if you’re wondering what HackMyVM and the Venus Lab are, I recommend starting with the first post in the series:
HackMyVM Venus Walkthroug 1/5.
In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials on https://hackmyvm.eu/venus/
Mission: User eloise has saved her password in a particular way.
Here the password to the next level is in the file eloise. If you have done some CTFs and look at the content of the file, you will quickly see that the data is Base64 encoded. So let’s have a look what this data is:
cat eloise | base64 -d
It looks very much like a PDF file. Since we can’t easily view the contents of the file on the remote system, we simply copy the Base64-encoded contents of the file ‘eloise’ to the clipboard, create a new file ‘eloise’ locally and paste the copied data in there.
We then repeat the process we already performed on the remote system, but redirect the output to the ‘eloise.pdf’ file:
cat eloise | base64 -d > eloise.pdf
The PDF contains the password for the next level
Mission: User lucia has been creative in saving her password.
Lucia has creatively stored her password in the file hi. Let’s see what is in the file:
cat hi 00000000: 7576 4d77 4644 5172 5157 504d 6547 500a
This looks very much like a hex dump. Fortunately, there is a Linux command line tool that we can use to convert the hex dump back:
cat hi | xxd -r
The password for the next level is right on your screen.
Mission: The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.
To get Isabel’s password and thus the password for the next level, we need to find a file in the directory ‘/etc/xdg’, but we don’t know the name of it. But we know that the name of the file is in the file ‘dict.txt’. Here again bash scripting can help us:
while IFS= read -r line; do cat /etc/xdg/$line; done < dict.txt 2>/dev/null
We read the file ‘dict.txt’ line by line and try to output the corresponding file with
cat. We redirect error messages to ‘/dev/null’. Thus we get the password for the next level.
Mission: The password of the user freya is the only string that is not repeated in different.txt
In order to get the password, we need to look at the ‘different.txt’ file and find the only line that does not repeat. Fortunately, there is a command line tool called
uniq for exactly this purpose:
uniq -u different.txt
With the -u option we specify that we only want to output lines that do not repeat.
Mission: User alexa puts her password in a .txt file in /free every minute and then deletes it.
So every minute a text file is created in the folder ‘/free’ which contains the password and is deleted shortly after.
With a small bash script this level is quickly solved. First we create a directory in the ‘/tmp’ folder, because we have write permissions there:
And next, a little one-liner that looks into the directory ‘/free’ for a minute, and copies all the files that are in the directory to ‘/tmp/free’. After that we have all the time in the world to look at what our script found:
end=$((SECONDS+60)); while [ $SECONDS -lt $end ]; do cp -RT /free /tmp/free; done ls /tmp/free beer.txt
So the password for the next level is in the file ‘/tmp/free/beer.txt’.
Mission: The password of the user ariel is online! (HTTP)
This level is again very simple. We only have to send a request to http://localhost with
Mission: Seems that ariel dont save the password for lola, but there is a temporal file.
Because the last level was so simple, here again something more complicated. First of all, let’s see what files are in the home directory:
ls -la drwxr-x--- 2 root ariel 4096 Apr 7 05:56 . drwxr-xr-x 1 root root 4096 Apr 7 05:55 .. -rw-r--r-- 1 ariel ariel 220 Aug 4 2021 .bash_logout -rw-r--r-- 1 ariel ariel 3526 Aug 4 2021 .bashrc -rw-r----- 1 root ariel 12288 Apr 7 05:56 .goas.swp -rw-r--r-- 1 ariel ariel 807 Aug 4 2021 .profile -rw-r----- 1 root ariel 31 Apr 7 05:55 flagz.txt -rw-r----- 1 root ariel 254 Apr 7 05:55 mission.txt
The mission text mentions a temporary file. This is probably the ‘.goas.swp’ file.
‘.swp’ files are created by the text editor VIM as a backup. To restore the file, we create a temporary directory ‘tmp/vim’ and start VIM:
mkdir /tmp/vim vim goas
VIM asks us how we want to open the file. We decide to use the (R)ecover option. Next we are asked which file should be recovered. We choose the last file in the list (7).
Our file with passwords is recovered. We now save the file with the command
:w /tmp/vim/goas in our previously created temporary directory and exit VIM with the command
Now we copy the content of the newly created file into the clipboard and create a new file ‘lola.txt’ locally on our computer, into which we paste the content of the clipboard.
Now we can conveniently use
hydra to try through which password is valid for the user ‘lola’:
hydra -l lola -P lola.txt ssh://venus.hackmyvm.eu:5000
Mission: The user celeste has left a list of names of possible .html pages where to find her password.
Here we have to send requests with
curl to http://localhost again, but this time we have to send the request to a specific HTML page. Since it would take too long to go through each line of the file ‘pages.txt’ by hand, we write ourselves again a small bash script:
while IFS= read -r line; do curl "http://localhost/$line.html" -sf; done < pages.txt
After a short time we have the password for the next level.
Mission: The user celeste has access to mysql but for what?
So Celeste has access to a MySQL database. Then let’s have a look at the database. As password we simply take the last password:
mysql -u celeste -p Enter password: MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | venus | +--------------------+ MariaDB [(none)]> use venus; MariaDB [(none)]> show tables; +-----------------+ | Tables_in_venus | +-----------------+ | people | +-----------------+ MariaDB [(none)]> select * from people;
With the last command we get the content of the table ‘people’. Take a close look at the table, because not only the password for the next level is hidden there, but also one of the hidden flags.
To know which user password to look for, it is worth looking in the file ‘/etc/passwd’. You will find the user of the next level under the user of the current level. With this info it is easy to find the next password.
MIssion: The user kira is hidding something in http://localhost/method.php
You can get the password for the user kira, and thus for the next level, by sending a request to http://localhost/method.php using a certain HTTP method.
Information about which methods are available can be found at https://developer.mozilla.org/de/docs/Web/HTTP/Methods Here is a spoiler: try them all, maybe you will find a hidden flag 😉
Just replace ‘???’ with the method you want to use. Attention, HEAD does not work with this. For this you can simply use
curl -I http://localhost/method.php.
curl -X ??? http://localhost/method.php
These were the levels 21 – 30 of the Venus Lab on HackMyVM.eu
I hope I could help you with one or the other level.