The fourth blog post about the HackMyVM.eu platform is about the levels 31 – 40 of the Venus Lab.
Now, if you’re wondering what HackMyVM and the Venus Lab are, I recommend starting with the first post in the series:
HackMyVM Venus Walkthroug 1/5.
In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/
Level 31
Mission: The user veronica visits a lot http://localhost/waiting.php
According to the mission text, Veronica often visits the http://localhost/waiting.php page.
Let’s use the command line tool “curl” to see what’s behind it:
curl http://localhost/waiting.php
Im waiting for the user-agent PARADISE.
The server tells us that it is waiting for a user with the user agent string “PARADISE”. Then we want to give it this after all. With the argument -A we can instruct curl
to pass the appropriate user agent with the request:
curl -A PARADISE http://localhost/waiting.php
In response, the server now provides the password for the next level.
Level 32
Mission: The user veronica uses a lot the password from lana, so she created an alias.
Veronica uses Lana’s password so often that she has created an alias for it. Since an alias is created in the hidden file ‘.bashrc’, let’s see if this file exists:
ls -la
drwxr-x--- 2 root veronica 4096 Apr 7 05:55 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 veronica veronica 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 veronica veronica 3559 Apr 7 06:00 .bashrc
-rw-r--r-- 1 veronica veronica 807 Aug 4 2021 .profile
-rw-r----- 1 root veronica 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root veronica 228 Apr 7 05:55 mission.txt
Great, the file ‘.bashrc’ exists. Now we search for occurrences of the string ‘lana’ in this file using grep
:
cat .bashrc | grep lana
With that we have the password for level 33.
Level 33
Mission: The user noa loves to compress her things.
Since Noa likes to comp her stuff, we’ll take a look at what files we can find first:
la -la
drwxr-x--- 2 root lana 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 lana lana 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 lana lana 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 lana lana 807 Aug 4 2021 .profile
-rw-r----- 1 root lana 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root lana 161 Apr 7 05:55 mission.txt
-rw-r----- 1 root lana 10240 Apr 7 06:00 zip.gz
Here the file ‘zip.gz’ particularly catches the eye. With the file
command we can find out what kind of file it is:
file zip.gz
zip.gz: POSIX tar archive (GNU)
As expected, this is a tar archive. Since we only have read permissions in the current directory, we create a new directory in the ‘/tmp’ folder and unpack the archive directly there:
mkdir /tmp/zip
tar -xf zip.gz -C /tmp/zip
Let’s take a look at what is now in the newly created directory:
ls -la /tmp/zip
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 .
drwxr-x-wx 12 root root 380 Apr 27 06:33 ..
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 pwned
Aha, a new directory ‘pwned’ has been created. And what is located there?
ls -la /tmp/zip/pwned
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 .
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 ..
drwxr-xr-x 2 lana lana 60 Apr 27 06:36 lana
Another directory. This time with the name ‘lana’. Then we look in there as well:
ls -la /tmp/zip/pwned/lana
drwxr-xr-x 2 lana lana 60 Apr 27 06:36 .
drwxr-xr-x 3 lana lana 60 Apr 27 06:36 ..
-rw-r--r-- 1 lana lana 16 Apr 7 06:00 zip
And here we find a file with the name ‘zip’. Using cat
we output the contents of the file:
cat /tmp/zip/pwned/lana/zip
Thus we have the password for the next level.
Level 34
Mission: The password of maia is surrounded by trash
According to the mission text, Maia’s password is surrounded by trash. Let’s see what kind of files we can find:
la -la
-rw-r--r-- 1 noa noa 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 noa noa 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 noa noa 807 Aug 4 2021 .profile
-rw-r----- 1 root noa 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root noa 159 Apr 7 05:55 mission.txt
-rw-r----- 1 root noa 3818 Apr 7 06:00 trash
There is a suspicious file named ‘trash’. With the file
command we can find out what kind of file it is:
file trash
trash: PGP Secret Key -
So it is a PGP Secret Key. You don’t expect to find strings there. So we try exactly that:
strings trash
As a reward for this bold attempt, we get the password for the next level.
Level 35
Mission: The user gloria has forgotten the last 2 characters of her password … They only remember that they were 2 lowercase letters.
In this level, the goal is to bruteforce the last two digits of the password for the next level. We also get the useful hint that it is a matter of two lowercase letters. Thus we have 26×26 possible combinations.
First we print out the known part of the password:
ls -la
drwxr-x--- 2 root maia 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 maia maia 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 maia maia 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 maia maia 807 Aug 4 2021 .profile
-rw-r----- 1 root maia 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root maia 16 Apr 7 06:00 forget
-rw-r----- 1 root maia 317 Apr 7 05:55 mission.txt
cat forget
v7xUVE2e5bjUc??
In the second step we write a small Python script which writes all possible combinations into the file ‘pass.txt’ locally:
import string
prefix = "v7xUVE2e5bjUc"
lower = string.ascii_lowercase
with open('pass.txt', 'w') as password:
for i in lower:
for j in lower:
password.write(prefix+i+j+"\n")
With this file and the command line tool hydra
we now start the bruteforce attack:
hydra -l gloria -P pass.txt ssh://venus.hackmyvm.eu:5000
Due to the relatively small number of possible combinations (maximum 676 attempts), hydra
provides us with the password for the next level rather quickly.
Level 36
Mission: User alora likes drawings, that’s why she saved her password as …
So Alora likes drawings and apparently saved her password as such. Let’s see what files we can find:
ls -la
drwxr-x--- 2 root gloria 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 gloria gloria 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 gloria gloria 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 gloria gloria 807 Aug 4 2021 .profile
-rw-r----- 1 root gloria 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root gloria 1713 Apr 7 06:00 image
-rw-r----- 1 root gloria 222 Apr 7 05:55 mission.txt
file image
image: ASCII text
There is a file named ‘image’, but if we look at what kind of file it is, we find that it is a text file. Then let’s take a look at the contents:
cat image
Obviously, it is a QR code. I tried to read it with my smartphone, but it didn’t work. So I decided to create a small Python script to make the QR code more “readable”:
with open('image', 'r') as img:
lines = img.readlines()
for l in lines:
print(l.replace('#', chr(0x2588)), end='')
My smartphone recognized this QR code as such and rewarded my effort with the password for the next level.
Level 37
Mission: User Julie has created an iso with her password.
The password for the next level is inside an ISO image
ls -la
drwxr-x--- 2 root alora 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 alora alora 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 alora alora 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 alora alora 807 Aug 4 2021 .profile
-rw-r----- 1 root alora 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root alora 172 Apr 7 05:55 mission.txt
-rw-r----- 1 root alora 360448 Apr 7 06:00 music.iso
file music.iso
music.iso: ISO 9660 CD-ROM filesystem data 'CDROM'
First we download the file ‘music.iso’ via scp
into the current directory:
scp -P 5000 alora@venus.hackmyvm.eu:/pwned/alora/music.iso ./
Now we create a new directory named ‘iso’ in the ‘/media’ folder where we mount the ISO file:
sudo mkdir /media/iso
sudo mount -o loop ./music.iso /media/iso
Now we display the contents of this directory:
ls -la /media/iso
-r--r--r-- 1 root root 208 Apr 7 07:00 music.zip
If everything worked well, we get the file ‘music.zip’ displayed. Now we have to unpack this file. Since we have only read permission in the directory, we unpack the file into our current directory:
unzip music.zip -d ./
Archive: music.zip
extracting: pwned/alora/music.txt
Now we can view the contents of ‘pwned/alora/music.txt’ and get the password for the next level. But we still need to eject the mounted image and delete the directory created for it:
cat pwned/alora/music.txt
sudo umount /media/iso
sudo rm -r /mdeia/iso
Level 38
Mission: The user irene believes that the beauty is in the difference.
This level is about comparing two files and finding out the difference of the two files. So let’s first look at what files we’ve got:
ls -la
drwxr-x--- 2 root julie 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 julie julie 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 julie julie 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 julie julie 807 Aug 4 2021 .profile
-rw-r----- 1 root julie 4802 Apr 7 06:00 1.txt
-rw-r----- 1 root julie 4802 Apr 7 06:00 2.txt
-rw-r----- 1 root julie 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root julie 192 Apr 7 05:55 mission.txt
It is quite obvious that we should compare the files ‘1.txt’ and ‘2.txt’. Fortunately Linux comes with a command line tool for exactly this purpose:
diff 1.txt 2.txt
The command returns us two strings, which differ. One of them is the password for the next level.
Level 39
Mission: The user adela has lent her password to irene.
This somewhat cryptic mission text gives us little clues as to what the task is in this level. So let’s first see what files we have:
ls -la
drwxr-x--- 2 root irene 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 irene irene 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 irene irene 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 irene irene 807 Aug 4 2021 .profile
-rw-r----- 1 root irene 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root irene 1679 Apr 7 06:00 id_rsa.pem
-rw-r----- 1 root irene 451 Apr 7 06:00 id_rsa.pub
-rw-r----- 1 root irene 178 Apr 7 05:55 mission.txt
-rw-r----- 1 root irene 256 Apr 7 06:00 pass.enc
We have a public and a private RSA key and a file ‘pass.enc’. So it is obvious that the password for the next level is RSA encrypted inside the file ‘pass.enc’. So we use the tool openssl
to decrypt this file using the private key:
openssl rsautl -decrypt -inkey id_rsa.pem -in pass.enc
The password for level 40 is decrypted.
Level 40
MIssion: User sky has saved her password to something that can be listened to.
The mission text for this level is also very cryptic. So let’s first see what files we have:
la -la
drwxr-x--- 2 root adela 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 adela adela 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 adela adela 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 adela adela 807 Aug 4 2021 .profile
-rw-r----- 1 root adela 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root adela 213 Apr 7 05:55 mission.txt
-rw-r----- 1 root adela 44 Apr 7 06:00 wtf
Here the file ‘wtf’ catches the eye. What type of file is it?
file wtf
wtf: ASCII text
So a text file. If we display the contents, we should see a certain pattern:
cat wtf
.--. .- .--. .- .--. .- .-. .- -.. .. ... .
The trained eye immediately recognizes that it is Morse code.
Those who find it too time-consuming to decipher this code using pen and paper can do so conveniently online at https://morsecode.world/international/translator.html and thus have the password for the next level.
These were the levels 31 – 40 of the Venus Lab on HackMyVM.eu
I hope I could help you with one or the other level.