Skip to content
Startseite » HackMyVM Venus Walkthrough 5/5

HackMyVM Venus Walkthrough 5/5

The last part of the blog post series about the Venus Lab of the platform HackMyVM.eu is about the levels 41 – 50.

Now, if you’re wondering what HackMyVM and the Venus Lab are, I recommend starting with the first post in the series:
HackMyVM Venus Walkthroug 1/5.

In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/

HackMyVM Venus
HackMyVM.eu Venus Lab

Level 41

Mission: User sarah uses header in http://localhost/key.php

Sarah uses headers in communication with http://localhost/key.php
Then let’s just call the URL with curl to see what to expect:

curl http://localhost/key.php
Key header is true?

The server asks us if the “Key” field in the header is true. Of course, this was not the case with our first request. But with the option -H we can give curl headers for the call. So let’s set the header “Key: true”:

curl -H "Key: true" http://localhost/key.php

Now the server rewards us with the password for level 42.

Level 42

Mission: The password of mercy is hidden in this directory.

So the password for the next level is hidden in this directory. Let’s see what we can find in the directory:

la -la

drwxr-x--- 2 root  sarah 4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root  4096 Apr  7 05:55 ..
-rw-r----- 1 root  sarah   16 Apr  7 06:00 ...
-rw-r--r-- 1 sarah sarah  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 sarah sarah 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 sarah sarah  807 Aug  4  2021 .profile
-rw-r----- 1 root  sarah   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  sarah  175 Apr  7 05:55 mission.txt

If you don’t look closely, you can easily miss the hidden file, but we as professionals of course immediately recognize the file ‘…’.

cat ...

With that we get te password for the next level.

Level 43

Mission: User mercy is always wrong with the password of paula.

It seems that Mercy can’t remember the password for Paula. Let’s see what kind of files we can find:

ls -la

drwxr-x--- 2 root  mercy 4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root  4096 Apr  7 05:55 ..
-rw-r----- 1 root  mercy  133 Apr  7 06:00 .bash_history
-rw-r--r-- 1 mercy mercy  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 mercy mercy 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 mercy mercy  807 Aug  4  2021 .profile
-rw-r----- 1 root  mercy   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  mercy  190 Apr  7 05:55 mission.txt

Although we don’t find a password file where Mercy stored the password for Paula, we do find something else which is just as good: the file ‘.bash_history’. With the command ‘history’ we can thus display the last command line entries Mercy did:

history

One line of the output looks very much like the password for the next level.

Level 44

Mission: The user karla trusts me, she is part of my group of friends.

Karla is in the group of our friends. Then let’s see which groups we are in as Paula:

groups
paula hidden

We are in the ‘paula’ and ‘hidden’ groups. The ‘hidden’ group looks promising at this point. Then let’s see which files are assigned to the ‘hidden’ group:

find / -group hidden 2>/dev/null
/usr/src/.karl-a

Only one file of the corresponding group can be found. Let’s just have a look at the contents of this file:

cat /usr/src/.karl-a

That looks a lot like the password for the next level.

Level 45

Mission: User denise has saved her password in the image.

Denise has saved the password for the next level in a picture. As so often, the first thing we do is look at what files are in the home directory:

ls -la

drwxr-x--- 2 root  karla  4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root   4096 Apr  7 05:55 ..
-rw-r--r-- 1 karla karla   220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 karla karla  3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 karla karla   807 Aug  4  2021 .profile
-rw-r----- 1 root  karla    31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  karla   176 Apr  7 05:55 mission.txt
-rw-r----- 1 root  karla 32946 Apr  7 06:00 yuju.jpg

In fact, there is an image file named ‘yuju.jpg’. Also, checking the file format using file confirms that it is a JPEG file:

file yuju.jpg
yuju.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4], baseline, precision 8, 442x463, components 3

Now, before we assume that the password was hidden in the image file using some fancy cryptographic steganography techniques, let’s take a look at the image’s Exif data:

exiftool yuyu.jpg

And indeed, we find something in the about tag that looks a lot like the password for the next level.

Level 46

Mission: The user zora is screaming doas!

If Zora is screaming doas, let’s just use it:

doas
usage: doas [-Lns] [-C config] [-u user] command [args]

The command expects another command to be executed. Also, you can specify a user under which the command will be executed. So if we can execute the bash with the user ‘zora’, we would be in the next level:

doas -u zora /bin/bash

Now we just have to enter our own password (that of ‘denise’), and we are in the next level!

Level 47

Mission: The user belen has left her password in venus.hmv

The mission text suggests that Belen saved the password in a file called ‘venus.hmv’.
First of all, let’s see what is in the home directory:

ls -la

drwxr-x--- 2 root zora 4096 Apr  7 06:00 .
drwxr-xr-x 1 root root 4096 Apr  7 05:55 ..
-rw-r--r-- 1 zora zora  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 zora zora 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 zora zora  807 Aug  4  2021 .profile
-rw-r----- 1 root zora   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root zora  173 Apr  7 05:55 mission.txt
-rw-r----- 1 root zora   16 Apr  7 06:00 zora_pass.txt

No file named ‘venus.hmv’. Then we just search for the file system-wide:

find / -name venus.hmv 2>/dev/null

Again no success. The file does not seem to exist. Maybe ‘venus.hmv’ is not a file at all, but a URL. This can be found out quite easily with curl:

curl venus.hmv

In fact, we get the password for the next level as a response.

Level 48

Mission: It seems that belen has stolen the password of the user leona…

Again, let’s first look at what files we can find in Belen’s home directory:

ls -la

drwxr-x--- 2 root  belen 4096 Apr  7 06:00 .
drwxr-xr-x 1 root  root  4096 Apr  7 05:55 ..
-rw-r--r-- 1 belen belen  220 Aug  4  2021 .bash_logout
-rw-r--r-- 1 belen belen 3526 Aug  4  2021 .bashrc
-rw-r--r-- 1 belen belen  807 Aug  4  2021 .profile
-rw-r----- 1 root  belen   31 Apr  7 05:55 flagz.txt
-rw-r----- 1 root  belen  197 Apr  7 05:55 mission.txt
-rw-r----- 1 root  belen   32 Apr  7 06:00 stolen.txt

Here the file ‘stolen.txt’ looks promising. Let’s have a look at the contents:

cat stolen.txt
$1$leona$lhWp56YnWAMz6z32Bw53L0

The string $1$ at the beginning of the string tells us that it is an md5crypt format.
Let’s save the string to a local file and let JohnTheRipper see if he can find the matching plaintext to the hash:

john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt stolen.txt

John did his job well and provided us with the password for level 49.

Level 49

Mission: User ava plays a lot with the DNS of venus.hmv lately…

So Ava plays with the DNS record of venus.hmv. Then let’s look in the ‘bind’ folder where the local DNS records are stored:

ls -la /etc/bind

drwxr-sr-x 2 root bind 4096 Apr  7 06:00 .
drwxr-xr-x 1 root root 4096 Apr  8 18:33 ..
-rw-r--r-- 1 root root 1991 Mar 14 14:25 bind.keys
-rw-r--r-- 1 root root  237 Mar 14 14:25 db.0
-rw-r--r-- 1 root root  271 Mar 14 14:25 db.127
-rw-r--r-- 1 root root  237 Mar 14 14:25 db.255
-rw-r--r-- 1 root root  353 Mar 14 14:25 db.empty
-rw-r--r-- 1 root root  270 Mar 14 14:25 db.local
-rw-r--r-- 1 root bind  613 Apr  7 06:00 db.venus.hmv
-rw-r--r-- 1 root bind  463 Mar 14 14:25 named.conf
-rw-r--r-- 1 root bind  498 Mar 14 14:25 named.conf.default-zones
-rw-r--r-- 1 root bind  307 Apr  7 06:00 named.conf.local
-rw-r--r-- 1 root bind  219 Apr  7 06:00 named.conf.options
-rw-r----- 1 bind bind  100 Apr  7 05:55 rndc.key
-rw-r--r-- 1 root root 1317 Mar 14 14:25 zones.rfc1918

Here the file ‘db.venus.hmv’ immediately catches your eye. If you look closely at the contents, you will find the password for the next level.

Level 50

MIssion: The password of maria is somewhere…

The password of the user Maria and thus the password of the last level is somewhere. The mission text suggests that we have already used Maria’s password somewhere and that’s true, but differently than you might think. … – I’ll just say this much: take a look at how you got the passwords of the last levels.

These were the last 10 levels of the Venus Lab on HackMyVM.eu
I hope you had as much fun with it as I did. I definitely give a thumbs up for this still quite new platform, which has published a lot of CTF content in a relatively short time.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *