Skip to content
Startseite » HackMyVM Venus Walkthrough 4/5

HackMyVM Venus Walkthrough 4/5

The fourth blog post about the HackMyVM.eu platform is about the levels 31 – 40 of the Venus Lab.

Now, if you’re wondering what HackMyVM and the Venus Lab are, I recommend starting with the first post in the series:
HackMyVM Venus Walkthroug 1/5.

In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/

HackMyVM Venus
HackMyVM.eu Venus Lab

Level 31

Mission: The user veronica visits a lot http://localhost/waiting.php

According to the mission text, Veronica often visits the http://localhost/waiting.php page.
Let’s use the command line tool “curl” to see what’s behind it:

curl http://localhost/waiting.php
Im waiting for the user-agent PARADISE.

The server tells us that it is waiting for a user with the user agent string “PARADISE”. Then we want to give it this after all. With the argument -A we can instruct curl to pass the appropriate user agent with the request:

curl -A PARADISE http://localhost/waiting.php

In response, the server now provides the password for the next level.

Level 32

Mission: The user veronica uses a lot the password from lana, so she created an alias.

Veronica uses Lana’s password so often that she has created an alias for it. Since an alias is created in the hidden file ‘.bashrc’, let’s see if this file exists:

ls -la

drwxr-x--- 2 root     veronica 4096 Apr  7 05:55 .
drwxr-xr-x 1 root     root     4096 Apr  7 05:55 ..
-rw-r--r-- 1 veronica veronica  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 veronica veronica 3559 Apr  7 06:00 .bashrc
-rw-r--r-- 1 veronica veronica  807 Aug  4  2021 .profile
-rw-r----- 1 root     veronica   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root     veronica  228 Apr  7 05:55 mission.txt

Great, the file ‘.bashrc’ exists. Now we search for occurrences of the string ‘lana’ in this file using grep:

cat .bashrc | grep lana

With that we have the password for level 33.

Level 33

Mission: The user noa loves to compress her things.

Since Noa likes to comp her stuff, we’ll take a look at what files we can find first:

la -la

drwxr-x--- 2 root lana  4096 Apr  7 06:00 .
drwxr-xr-x 1 root root  4096 Apr  7 05:55 ..
-rw-r--r-- 1 lana lana   220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 lana lana  3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 lana lana   807 Aug  4  2021 .profile
-rw-r----- 1 root lana    31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root lana   161 Apr  7 05:55 mission.txt
-rw-r----- 1 root lana 10240 Apr  7 06:00 zip.gz

Here the file ‘zip.gz’ particularly catches the eye. With the file command we can find out what kind of file it is:

file zip.gz
zip.gz: POSIX tar archive (GNU)

As expected, this is a tar archive. Since we only have read permissions in the current directory, we create a new directory in the ‘/tmp’ folder and unpack the archive directly there:

mkdir /tmp/zip
tar -xf zip.gz -C /tmp/zip

Let’s take a look at what is now in the newly created directory:

ls -la /tmp/zip

drwxr-xr-x  3 lana lana  60 Apr 27 06:36 .
drwxr-x-wx 12 root root 380 Apr 27 06:33 ..
drwxr-xr-x  3 lana lana  60 Apr 27 06:36 pwned

Aha, a new directory ‘pwned’ has been created. And what is located there?

ls -la /tmp/zip/pwned

drwxr-xr-x 3 lana lana 60 Apr 27 06:36 .
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 ..
drwxr-xr-x 2 lana lana 60 Apr 27 06:36 lana

Another directory. This time with the name ‘lana’. Then we look in there as well:

ls -la /tmp/zip/pwned/lana

drwxr-xr-x 2 lana lana 60 Apr 27 06:36 .
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 ..
-rw-r--r-- 1 lana lana 16 Apr  7 06:00 zip

And here we find a file with the name ‘zip’. Using cat we output the contents of the file:

cat /tmp/zip/pwned/lana/zip

Thus we have the password for the next level.

Level 34

Mission: The password of maia is surrounded by trash

According to the mission text, Maia’s password is surrounded by trash. Let’s see what kind of files we can find:

la -la

-rw-r--r-- 1 noa  noa   220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 noa  noa  3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 noa  noa   807 Aug  4  2021 .profile
-rw-r----- 1 root noa    31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root noa   159 Apr  7 05:55 mission.txt
-rw-r----- 1 root noa  3818 Apr  7 06:00 trash

There is a suspicious file named ‘trash’. With the file command we can find out what kind of file it is:

file trash
trash: PGP Secret Key -

So it is a PGP Secret Key. You don’t expect to find strings there. So we try exactly that:

strings trash

As a reward for this bold attempt, we get the password for the next level.

Level 35

Mission: The user gloria has forgotten the last 2 characters of her password … They only remember that they were 2 lowercase letters.

In this level, the goal is to bruteforce the last two digits of the password for the next level. We also get the useful hint that it is a matter of two lowercase letters. Thus we have 26×26 possible combinations.

First we print out the known part of the password:

ls -la

drwxr-x--- 2 root maia 4096 Apr  7 06:00 .
drwxr-xr-x 1 root root 4096 Apr  7 05:55 ..
-rw-r--r-- 1 maia maia  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 maia maia 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 maia maia  807 Aug  4  2021 .profile
-rw-r----- 1 root maia   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root maia   16 Apr  7 06:00 forget
-rw-r----- 1 root maia  317 Apr  7 05:55 mission.txt

cat forget
v7xUVE2e5bjUc??

In the second step we write a small Python script which writes all possible combinations into the file ‘pass.txt’ locally:

import string

prefix = "v7xUVE2e5bjUc"
lower = string.ascii_lowercase

with open('pass.txt', 'w') as password:
  for i in lower:
    for j in lower:
      password.write(prefix+i+j+"\n")

With this file and the command line tool hydra we now start the bruteforce attack:

hydra -l gloria -P pass.txt ssh://venus.hackmyvm.eu:5000

Due to the relatively small number of possible combinations (maximum 676 attempts), hydra provides us with the password for the next level rather quickly.

Level 36

Mission: User alora likes drawings, that’s why she saved her password as …

So Alora likes drawings and apparently saved her password as such. Let’s see what files we can find:

ls -la

drwxr-x--- 2 root   gloria 4096 Apr  7 06:00 .
drwxr-xr-x 1 root   root   4096 Apr  7 05:55 ..
-rw-r--r-- 1 gloria gloria  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 gloria gloria 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 gloria gloria  807 Aug  4  2021 .profile
-rw-r----- 1 root   gloria   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root   gloria 1713 Apr  7 06:00 image
-rw-r----- 1 root   gloria  222 Apr  7 05:55 mission.txt

file image
image: ASCII text

There is a file named ‘image’, but if we look at what kind of file it is, we find that it is a text file. Then let’s take a look at the contents:

cat image
QR Code ASCII
ASCII QR Code

Obviously, it is a QR code. I tried to read it with my smartphone, but it didn’t work. So I decided to create a small Python script to make the QR code more “readable”:

with open('image', 'r') as img:
  lines = img.readlines()
  for l in lines:
    print(l.replace('#', chr(0x2588)), end='')
QR-Code optimized
Optimized QR Code

My smartphone recognized this QR code as such and rewarded my effort with the password for the next level.

Level 37

Mission: User Julie has created an iso with her password.

The password for the next level is inside an ISO image

ls -la

drwxr-x--- 2 root  alora   4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root    4096 Apr  7 05:55 ..
-rw-r--r-- 1 alora alora    220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 alora alora   3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 alora alora    807 Aug  4  2021 .profile
-rw-r----- 1 root  alora     31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  alora    172 Apr  7 05:55 mission.txt
-rw-r----- 1 root  alora 360448 Apr  7 06:00 music.iso

file music.iso
music.iso: ISO 9660 CD-ROM filesystem data 'CDROM'

First we download the file ‘music.iso’ via scp into the current directory:

scp -P 5000 alora@venus.hackmyvm.eu:/pwned/alora/music.iso ./

Now we create a new directory named ‘iso’ in the ‘/media’ folder where we mount the ISO file:

sudo mkdir /media/iso
sudo mount -o loop ./music.iso /media/iso

Now we display the contents of this directory:

ls -la /media/iso
-r--r--r-- 1 root root 208 Apr  7 07:00 music.zip

If everything worked well, we get the file ‘music.zip’ displayed. Now we have to unpack this file. Since we have only read permission in the directory, we unpack the file into our current directory:

unzip music.zip -d ./
Archive:  music.zip
 extracting: pwned/alora/music.txt

Now we can view the contents of ‘pwned/alora/music.txt’ and get the password for the next level. But we still need to eject the mounted image and delete the directory created for it:

cat pwned/alora/music.txt

sudo umount /media/iso
sudo rm -r /mdeia/iso

Level 38

Mission: The user irene believes that the beauty is in the difference.

This level is about comparing two files and finding out the difference of the two files. So let’s first look at what files we’ve got:

ls -la

drwxr-x--- 2 root  julie 4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root  4096 Apr  7 05:55 ..
-rw-r--r-- 1 julie julie  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 julie julie 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 julie julie  807 Aug  4  2021 .profile
-rw-r----- 1 root  julie 4802 Apr  7 06:00 1.txt
-rw-r----- 1 root  julie 4802 Apr  7 06:00 2.txt
-rw-r----- 1 root  julie   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  julie  192 Apr  7 05:55 mission.txt

It is quite obvious that we should compare the files ‘1.txt’ and ‘2.txt’. Fortunately Linux comes with a command line tool for exactly this purpose:

diff 1.txt 2.txt

The command returns us two strings, which differ. One of them is the password for the next level.

Level 39

Mission: The user adela has lent her password to irene.

This somewhat cryptic mission text gives us little clues as to what the task is in this level. So let’s first see what files we have:

ls -la

drwxr-x--- 2 root  irene 4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root  4096 Apr  7 05:55 ..
-rw-r--r-- 1 irene irene  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 irene irene 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 irene irene  807 Aug  4  2021 .profile
-rw-r----- 1 root  irene   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  irene 1679 Apr  7 06:00 id_rsa.pem
-rw-r----- 1 root  irene  451 Apr  7 06:00 id_rsa.pub
-rw-r----- 1 root  irene  178 Apr  7 05:55 mission.txt
-rw-r----- 1 root  irene  256 Apr  7 06:00 pass.enc

We have a public and a private RSA key and a file ‘pass.enc’. So it is obvious that the password for the next level is RSA encrypted inside the file ‘pass.enc’. So we use the tool openssl to decrypt this file using the private key:

openssl rsautl -decrypt -inkey id_rsa.pem -in pass.enc

The password for level 40 is decrypted.

Level 40

MIssion: User sky has saved her password to something that can be listened to.

The mission text for this level is also very cryptic. So let’s first see what files we have:

la -la

drwxr-x--- 2 root  adela 4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root  4096 Apr  7 05:55 ..
-rw-r--r-- 1 adela adela  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 adela adela 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 adela adela  807 Aug  4  2021 .profile
-rw-r----- 1 root  adela   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  adela  213 Apr  7 05:55 mission.txt
-rw-r----- 1 root  adela   44 Apr  7 06:00 wtf

Here the file ‘wtf’ catches the eye. What type of file is it?

file wtf
wtf: ASCII text

So a text file. If we display the contents, we should see a certain pattern:

cat wtf
.--. .- .--. .- .--. .- .-. .- -.. .. ... .

The trained eye immediately recognizes that it is Morse code.
Those who find it too time-consuming to decipher this code using pen and paper can do so conveniently online at https://morsecode.world/international/translator.html and thus have the password for the next level.

These were the levels 31 – 40 of the Venus Lab on HackMyVM.eu
I hope I could help you with one or the other level.

Leave a Reply

Your email address will not be published. Required fields are marked *