The last part of the blog post series about the Venus Lab of the platform HackMyVM.eu is about the levels 41 – 50.
Now, if you’re wondering what HackMyVM and the Venus Lab are, I recommend starting with the first post in the series:
HackMyVM Venus Walkthroug 1/5.
In order to connect to the lab, you need to register on HackMyVM.eu. After the free registration just open a terminal and connect to the lab with ssh. You can find the credentials at https://hackmyvm.eu/venus/
Level 41
Mission: User sarah uses header in http://localhost/key.php
Sarah uses headers in communication with http://localhost/key.php
Then let’s just call the URL with curl to see what to expect:
curl http://localhost/key.php
Key header is true?
The server asks us if the “Key” field in the header is true. Of course, this was not the case with our first request. But with the option -H we can give curl
headers for the call. So let’s set the header “Key: true”:
curl -H "Key: true" http://localhost/key.php
Now the server rewards us with the password for level 42.
Level 42
Mission: The password of mercy is hidden in this directory.
So the password for the next level is hidden in this directory. Let’s see what we can find in the directory:
la -la
drwxr-x--- 2 root sarah 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r----- 1 root sarah 16 Apr 7 06:00 ...
-rw-r--r-- 1 sarah sarah 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 sarah sarah 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 sarah sarah 807 Aug 4 2021 .profile
-rw-r----- 1 root sarah 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root sarah 175 Apr 7 05:55 mission.txt
If you don’t look closely, you can easily miss the hidden file, but we as professionals of course immediately recognize the file ‘…’.
cat ...
With that we get te password for the next level.
Level 43
Mission: User mercy is always wrong with the password of paula.
It seems that Mercy can’t remember the password for Paula. Let’s see what kind of files we can find:
ls -la
drwxr-x--- 2 root mercy 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r----- 1 root mercy 133 Apr 7 06:00 .bash_history
-rw-r--r-- 1 mercy mercy 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 mercy mercy 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 mercy mercy 807 Aug 4 2021 .profile
-rw-r----- 1 root mercy 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root mercy 190 Apr 7 05:55 mission.txt
Although we don’t find a password file where Mercy stored the password for Paula, we do find something else which is just as good: the file ‘.bash_history’. With the command ‘history’ we can thus display the last command line entries Mercy did:
history
One line of the output looks very much like the password for the next level.
Level 44
Mission: The user karla trusts me, she is part of my group of friends.
Karla is in the group of our friends. Then let’s see which groups we are in as Paula:
groups
paula hidden
We are in the ‘paula’ and ‘hidden’ groups. The ‘hidden’ group looks promising at this point. Then let’s see which files are assigned to the ‘hidden’ group:
find / -group hidden 2>/dev/null
/usr/src/.karl-a
Only one file of the corresponding group can be found. Let’s just have a look at the contents of this file:
cat /usr/src/.karl-a
That looks a lot like the password for the next level.
Level 45
Mission: User denise has saved her password in the image.
Denise has saved the password for the next level in a picture. As so often, the first thing we do is look at what files are in the home directory:
ls -la
drwxr-x--- 2 root karla 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 karla karla 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 karla karla 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 karla karla 807 Aug 4 2021 .profile
-rw-r----- 1 root karla 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root karla 176 Apr 7 05:55 mission.txt
-rw-r----- 1 root karla 32946 Apr 7 06:00 yuju.jpg
In fact, there is an image file named ‘yuju.jpg’. Also, checking the file format using file
confirms that it is a JPEG file:
file yuju.jpg
yuju.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4], baseline, precision 8, 442x463, components 3
Now, before we assume that the password was hidden in the image file using some fancy cryptographic steganography techniques, let’s take a look at the image’s Exif data:
exiftool yuyu.jpg
And indeed, we find something in the about tag that looks a lot like the password for the next level.
Level 46
Mission: The user zora is screaming doas!
If Zora is screaming doas
, let’s just use it:
doas
usage: doas [-Lns] [-C config] [-u user] command [args]
The command expects another command to be executed. Also, you can specify a user under which the command will be executed. So if we can execute the bash
with the user ‘zora’, we would be in the next level:
doas -u zora /bin/bash
Now we just have to enter our own password (that of ‘denise’), and we are in the next level!
Level 47
Mission: The user belen has left her password in venus.hmv
The mission text suggests that Belen saved the password in a file called ‘venus.hmv’.
First of all, let’s see what is in the home directory:
ls -la
drwxr-x--- 2 root zora 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 zora zora 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 zora zora 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 zora zora 807 Aug 4 2021 .profile
-rw-r----- 1 root zora 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root zora 173 Apr 7 05:55 mission.txt
-rw-r----- 1 root zora 16 Apr 7 06:00 zora_pass.txt
No file named ‘venus.hmv’. Then we just search for the file system-wide:
find / -name venus.hmv 2>/dev/null
Again no success. The file does not seem to exist. Maybe ‘venus.hmv’ is not a file at all, but a URL. This can be found out quite easily with curl
:
curl venus.hmv
In fact, we get the password for the next level as a response.
Level 48
Mission: It seems that belen has stolen the password of the user leona…
Again, let’s first look at what files we can find in Belen’s home directory:
ls -la
drwxr-x--- 2 root belen 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 7 05:55 ..
-rw-r--r-- 1 belen belen 220 Aug 4 2021 .bash_logout
-rw-r--r-- 1 belen belen 3526 Aug 4 2021 .bashrc
-rw-r--r-- 1 belen belen 807 Aug 4 2021 .profile
-rw-r----- 1 root belen 31 Apr 7 05:55 flagz.txt
-rw-r----- 1 root belen 197 Apr 7 05:55 mission.txt
-rw-r----- 1 root belen 32 Apr 7 06:00 stolen.txt
Here the file ‘stolen.txt’ looks promising. Let’s have a look at the contents:
cat stolen.txt
$1$leona$lhWp56YnWAMz6z32Bw53L0
The string $1$ at the beginning of the string tells us that it is an md5crypt format.
Let’s save the string to a local file and let JohnTheRipper see if he can find the matching plaintext to the hash:
john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt stolen.txt
John did his job well and provided us with the password for level 49.
Level 49
Mission: User ava plays a lot with the DNS of venus.hmv lately…
So Ava plays with the DNS record of venus.hmv. Then let’s look in the ‘bind’ folder where the local DNS records are stored:
ls -la /etc/bind
drwxr-sr-x 2 root bind 4096 Apr 7 06:00 .
drwxr-xr-x 1 root root 4096 Apr 8 18:33 ..
-rw-r--r-- 1 root root 1991 Mar 14 14:25 bind.keys
-rw-r--r-- 1 root root 237 Mar 14 14:25 db.0
-rw-r--r-- 1 root root 271 Mar 14 14:25 db.127
-rw-r--r-- 1 root root 237 Mar 14 14:25 db.255
-rw-r--r-- 1 root root 353 Mar 14 14:25 db.empty
-rw-r--r-- 1 root root 270 Mar 14 14:25 db.local
-rw-r--r-- 1 root bind 613 Apr 7 06:00 db.venus.hmv
-rw-r--r-- 1 root bind 463 Mar 14 14:25 named.conf
-rw-r--r-- 1 root bind 498 Mar 14 14:25 named.conf.default-zones
-rw-r--r-- 1 root bind 307 Apr 7 06:00 named.conf.local
-rw-r--r-- 1 root bind 219 Apr 7 06:00 named.conf.options
-rw-r----- 1 bind bind 100 Apr 7 05:55 rndc.key
-rw-r--r-- 1 root root 1317 Mar 14 14:25 zones.rfc1918
Here the file ‘db.venus.hmv’ immediately catches your eye. If you look closely at the contents, you will find the password for the next level.
Level 50
MIssion: The password of maria is somewhere…
The password of the user Maria and thus the password of the last level is somewhere. The mission text suggests that we have already used Maria’s password somewhere and that’s true, but differently than you might think. … – I’ll just say this much: take a look at how you got the passwords of the last levels.
These were the last 10 levels of the Venus Lab on HackMyVM.eu
I hope you had as much fun with it as I did. I definitely give a thumbs up for this still quite new platform, which has published a lot of CTF content in a relatively short time.