NepCodeX

Byte Musings: Where Tech Meets Curiosity


Venus – HMVLabs – HackMyVM – Writeup

venus hackmyvm walkthrough writeup security

Venus is the first lab from the HackMyVM platform. This is a CTF that consists of 50 flags and a few hidden too. At the time of writing, the lab is a docker container and is available online via SSH. Similarly, this is a very easy CTF machine and beginners can directly dive into this. “Venus – HMVLabs – HackMyVM – Writeup”

Link to the lab: https://hackmyvm.eu/venus

Machine Description

There are several users on the machine. Likewise, there is a mission file in each user’s home directory.

Mission 1

Firstly, we have to log into the machine using SSH. Now, let’s see the mission.txt file.

cat mission.txt
################
# MISSION 0x01 #
################

## EN ##
User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.

## ES ##
La usuaria sophia ha guardado su contraseña en un fichero oculto en esta carpeta.Encuentralo y logueate como sophia.

The first mission says, there is a hidden file in the folder.

ls -Al

This will give you a file “.myhiddenpazz” that has the password for the user “sophia”. So, either we can switch within the shell or log in as the ssh shell. I would suggest doing the latter if the first one fails.

su -l sophia

Mission 2

The next mission is on the home directory of “sophia”.

################
# MISSION 0x02 #
################

## EN ##
The user angela has saved her password in a file but she does not remember where ... she only remembers that the file was called whereismypazz.txt 

## ES ##
La usuaria angela ha guardado su password en un fichero pero no recuerda donde... solo recuerda que el fichero se llamaba whereismypazz.txt

Here, we have to find a file “whereismypazz.txt” to get access to the user angela. So, we can use the find command.

find / -name "whereismypazz.txt" -type f 2>/dev/null

The -name option in the above command search for the file/directory name. Likewise, we can use -type f to list files only. If we want a directory, we can do -type d. Similarly, 2>/dev/null means that every error returned in file descriptor 2 will be sent to /dev/null. Since there are many files that we don’t have access to, there will be errors that we don’t want to display.

Mission 3

################
# MISSION 0x03 #
################

## EN ##
The password of the user emma is in line 4069 of the file findme.txt

## ES ##
La password de la usuaria emma esta en la linea 4069 del fichero findme.txt

Now, we can go to the 4069 line of the findme.txt as follows.

sed -n "4069p" findme.txt

Or, we can also do the following.

cat -n findme.txt | grep 4069

This way, we get the password of the user “emma”.

Mission 4

################
# MISSION 0x04 #
################

## EN ##
User mia has left her password in the file -.
## ES ##
La usuaria mia ha dejado su password en el fichero -.

There is a file “-” in the home directory. Thus, to access the file we have to do the following command.

cat ./-

Now, we can log in as the user “mia”.

Mission 5

################
# MISSION 0x05 #
################

## EN ##
It seems that the user camila has left her password inside a folder called hereiam 

## ES ##
Parece que la usuaria camila ha dejado su password dentro de una carpeta llamada hereiam

For the password of the user “camila”, we have to find a directory “hereiam”.

find / -name hereiam -type d 2>/dev/null

Inside the directory, there is a file “.here” that has the password.

Mission 6

################
# MISSION 0x06 #
################

## EN ##
The user luna has left her password in a file inside the muack folder. 

## ES ##
La usuaria luna ha dejado su password en algun fichero dentro de la carpeta muack.

There is a directory “muack” that has a lot of subdirectories. However, one of them has a password.

find muack/ -type f -exec cat {} \;

The above command searches all files from the directories muack and performs “cat” operation on each of them. In our case, there is a single file that contains the password.

Mission 7

################
# MISSION 0x07 #
################

## EN ##
The user eleanor has left her password in a file that occupies 6969 bytes. 

## ES ##
La usuaria eleanor ha dejado su password en un fichero que ocupa 6969 bytes.

Now, we can find the password of the user eleanor in a file that occupies 6969 bytes.

find / -size 6969c -type f 2>/dev/null

This lists a file “moon.txt” that has the password for eleanor.

Mission 8

################
# MISSION 0x08 #
################

## EN ##
The user victoria has left her password in a file in which the owner is the user violin. 

## ES ##
La usuaria victoria ha dejado su password en un fichero en el cual el propietario es el usuario violin.

Like above, we can find all files that we can access but belong to the user “violin” as follows.

find / -user violin -type f 2>/dev/null

This gives a file “yo” that has the password for the user “victoria”.

Mission 9

################
# MISSION 0x09 #
################

## EN ##
The user isla has left her password in a zip file.

## ES ##
La usuaria isla ha dejado su password en un fichero zip.

As we can see in the mission text, there is a file “passw0rd.zip” on the same directory. Thus, we can extract it in /tmp and read the password.

unzip passw0rd.zip -d /tmp/pass
cat /tmp/pass/pwned/victoria/passw0rd.txt

Mission 10

################
# MISSION 0x10 #
################

## EN ##
The password of the user violet is in the line that begins with a9HFX (these 5 characters are not part of her password.). 

## ES ##
El password de la usuaria violet esta en la linea que empieza por a9HFX (sin ser estos 5 caracteres parte de su password.).

We can use grep command to do the job as follows.

grep ^a9HFX passy

Then, we can copy the string excluding the matched term that gives us the password of the user violet.

Mission 11

################
# MISSION 0x11 #
################

## EN ##
The password of the user lucy is in the line that ends with 0JuAZ (these last 5 characters are not part of her password) 

## ES ##
El password de la usuaria lucy se encuentra en la linea que acaba por 0JuAZ (sin ser estos ultimos 5 caracteres parte de su password)

As in the previous mission, we have to find the line that ends with the given characters.

grep 0JuAZ$ end

Mission 12

################
# MISSION 0x12 #
################

## EN ##
The password of the user elena is between the characters fu and ck 

## ES ##
El password de la usuaria elena esta entre los caracteres fu y ck

This mission is the combination of the previous 2 missions.

grep ^fu.*ck$ file.yo

Mission 13

################
# MISSION 0x13 #
################

## EN ##
The user alice has her password is in an environment variable. 

## ES ##
La password de alice esta en una variable de entorno.

We can check the environment variables as follows.

printenv 

# OR to grab the password
printenv | grep -i pass

Mission 14

################
# MISSION 0x14 #
################

## EN ##
The admin has left the password of the user anna as a comment in the file passwd. 

## ES ##
El admin ha dejado la password de anna como comentario en el fichero passwd.

We can check /etc/passwd file for a possible password. It is in the line of “alice”.

cat /etc/passwd | grep alice

Mission 15

################
# MISSION 0x15 #
################

## EN ##
Maybe sudo can help you to be natalia.

## ES ##
Puede que sudo te ayude para ser natalia.

Now, we can check the sudo permission of the user anna.

sudo -l

From there, we see that it directly gives us the user shell of the user natalia.

sudo -u natalia bash

Mission 16

################
# MISSION 0x16 #
################

## EN ##
The password of user eva is encoded in the base64.txt file

## ES ##
El password de eva esta encodeado en el fichero base64.txt

The solution is simple.

base64 -d base64.txt

Mission 17

################
# MISSION 0x17 #
################

## EN ##
The password of the clara user is found in a file modified on May 1, 1968. 

## ES ##
La password de la usuaria clara se encuentra en un fichero modificado el 01 de Mayo de 1968.

For this mission, I used the find command. In the find command, there is an option “mtime” that allows us to scan files based on the modified time (by default days). So, if n is the number of days, we can find the files modified before n days, after n days or on n days ago. For example, the difference between 2021 and 1970 in days is “(2021-1970)*365” = 18615 days. Hence, by using “-mtime -18615”, I can list files newer than 1970. However “-mtime +18615” would give results for the modifications older than 1970.

find / -type f -mtime +18615 2>/dev/null

This gives a file that has the password for the user clara.

Mission 18

################
# MISSION 0x18 #
################

## EN ##
The password of user frida is in the password-protected zip (rockyou.txt can help you) 

## ES ##
La password de frida esta en el zip protegido con password.(rockyou.txt puede ayudarte)

Now, we have a bruteforcing task for the zip file. Firstly, we have to copy the file to our local machine. Then, we can crack this using john the ripper.

scp -P 5000 [email protected]:~/protected.zip .
zip2john protected.zip > fridahash
john fridahash --wordlist=/home/kali/rockyou.txt

The above commands give us the password of the zip. Next, we can unzip the files.

unzip protected.zip
cat pwned/clara/protected.txt

Mission 19

################
# MISSION 0x19 #
################

## EN ##
The password of eliza is the only string that is repeated (unsorted) in repeated.txt. 

## ES ##
La password de eliza es el unico string que se repite (sin estar ordenado) en repeated.txt.

The mission says that we have to find a string that is repeated in the unsorted version of the “repeated.txt” file. Here, we have to focus on the word unsorted.

Normally, repeated means repeated anywhere in the file. But, in this case, it means the adjacent repeated. In Linux, we have a command called “uniq” that is used to identify the adjacent repeated lines as the help page says.

Note: 'uniq' does not detect repeated lines unless they are adjacent.
You may want to sort the input first, or use 'sort -u' without 'uniq'.

So, we can show the password as follows.

uniq -d repeated.txt

Mission 20

################
# MISSION 0x20 #
################

## EN ##
The user iris has left me her key.

## ES ##
La usuaria iris me ha dejado su key.

There is a SSH private key file on the same directory.

ssh iris@localhost -i .iris_key

Mission 21

################
# MISSION 0x21 #
################

## EN ##
User eloise has saved her password in a particular way. 

## ES ##
La usuaria eloise ha guardado su password de una forma particular.

There is a file “eloise” in the home directory of iris. It looks like a base64 encoded file. After decoding the file, we see that it is a JPEG image.

base64 -d eloise | file -

To view the image, we require a GUI. So, I copied the content of eloise in my local machine and decoded it.

base64 -d eloise > eloise.jpg

Lastly, we can open the file and see the password in the image. Also, try changing the letters “I” and “l”.

Mission 22

################
# MISSION 0x22 #
################

## EN ##
User lucia has been creative in saving her password.

## ES ##
La usuaria lucia ha sido creativa en la forma de guardar su password.

Similarly, another mission gives us a file “hi” that contains a hexdump.

xxd -r hi

Mission 23

################
# MISSION 0x23 #
################

## EN ##
The user isabel has left her password in a file in the /etc/xdg folder but she does not remember the name, however she has dict.txt that can help her to remember.

## ES ##
La usuaria isabel ha dejado su password en un fichero en la carpeta /etc/xdg pero no recuerda el nombre, sin embargo tiene dict.txt que puede ayudarle a recordar.

In this mission, we have to bruteforce the filenames inside /etc/xdg.

while IFS= read -r line; do readlink -e /etc/xdg/$line ; done < dict.txt

Mission 24

################
# MISSION 0x24 #
################

## EN ##
The password of the user freya is the only string that is not repeated in repeated.txt 

## ES ##
La password de la usuaria freya es el unico string que no se repite en repeated.txt

There is a typo mistake in the mission. It should be “different.txt” instead of “repeated.txt”. Here, we have to find the text that is not repeated in the file.

uniq -u different.txt

Mission 25

################
# MISSION 0x25 #
################

## EN ##
User alexa puts her password in a .txt file in /free every minute and then deletes it. 

## ES ##
La usuaria alexa pone su password en un fichero .txt en la carpeta /free cada minuto y luego lo borra.

Since the user deletes the file instantly, we have to use a loop to see the content.

false; while [ $? -ne 0 ]; do cat /free/* ; done 2>/dev/null

Mission 26

################
# MISSION 0x26 #
################

## EN ##
The password of the user ariel is online! (HTTP)

## ES ##
El password de la usuaria ariel esta online! (HTTP)

The next mission is easy.

curl http://localhost

Mission 27

################
# MISSION 0x27 #
################

## EN ##
Seems that ariel dont save the password for lola, but there is a temporal file.

## ES ##
Parece ser que a ariel no le dio tiempo a guardar la password de lola... menosmal que hay un temporal!

Here, we get a .swp file that is created by vim. So, we can recover this as follows.

vim -r .goas.swp

This gives a dictionary of passwords.

image 1
The dictionary of password

Here, it is important to use vim. In vim, what you are seeing is a normal mode. If you have typed anything, just press “Esc” several times to go to the normal mode. So, let’s create a proper wordlist from this file.

Typing “gg” in the normal mode takes you to the top of the page. We can use “dd” to delete the line.

Next, we can use “dw” to delete a word. In this case, it deletes “–>”. Now, we can go to the next line by either using the “down” arrow key or the “j” key.

Here comes the interesting part now. If we press “.”, it will repeat the last command, i.e. “dw”. So, we can go down and press “.” to repeat the same actions.

Finally, we can save this as a file.

:w /tmp/dict.txt
:q!

We can bruteforce this using hydra or we can try bruteforcing it using a bash script.

while IFS= read -r line; do echo $line | timeout 2 su lola 2>/dev/null; if [ $? -eq 0 ]; then echo $line; break; fi; done < /tmp/dict.txt

Or, alternatively, we can do this using hydra.

hydra -l lola -P dict.txt ssh://venus.hackmyvm.eu:5000

Mission 28

################
# MISSION 0x28 #
################

## EN ##
The user celeste has left a list of names of possible .html pages where to find her password. 

## ES ##
La usuaria celeste ha dejado un listado de nombres de posibles paginas .html donde encontrar su password.

In this mission, I can show you SSH tunnelling to forward the HTTP port and then bruteforcing using gobuster. In my local machine, I did the following command.

ssh -L 9001:127.0.0.1:80 [email protected] -p 5000

This will tunnel the HTTP service to port 9001 of my local machine. In the new terminal, bruteforced the directories.

gobuster dir -w pages.txt -u http://127.0.0.1:9001 -x html

This gives us a file “cebolla.html” that has the password.

Alternatively, we don’t require the dictionary at all to identify the filename.

find / -name "*.html" -path '/var/www*' 2>/dev/null

This would give us the file and we could use the curl from inside the machine.

Mission 29

################
# MISSION 0x29 #
################

## EN ##
The user celeste has access to mysql but for what?

## ES ##
La usuaria celeste tiene acceso al mysql, pero para que?

In this mission, we have to log into the MySQL server using the credentials of celeste.

mysql -uceleste -p 
show databases;
use venus;
show tables;
select * from people;

In the table, we have a few names of which one is “nina” who is also a user of the machine. So, we can grab her password from there.

Mission 30

################
# MISSION 0x30 #
################

## EN ##
The user kira is hidding something in http://localhost/method.php

## ES ##
La usuaria kira esconde algo en http://localhost/method.php

The next mission suggests that we have to use a different request method to get the password.

curl -XPUT http://localhost/method.php

Mission 31

################
# MISSION 31 #
################

## EN ##
The user veronica visits a lot http://localhost/waiting.php

## ES ##
La usuaria veronica visita mucho http://localhost/waiting.php

When we perform curl on the URL, it suggests using the user-agent “PARADISE”.

curl -A PARADISE http://localhost/waiting.php

Mission 32

################
# MISSION 0x32 #
################

## EN ##
The user veronica uses a lot the password from lana, so she created an alias.

## ES ##
La usuaria veronica usa mucho la password de lana, asi que ha creado un alias.

To list all alias, we can use the following command.

alias

Mission 33

################
# MISSION 0x33 #
################

## EN ##
The user noa loves to compress her things.

## ES ##
A la usuaria noa le gusta comprimir sus cosas.
file zip.gz

Since this is not encrypted, we can open the file to see the content. However, to do the normal way, we have to identify the type of compression. In this case, it is a tar file.

mkdir /tmp/zip
tar -xvf zip.gz -C /tmp/zip
cat /tmp/zip/pwned/lana/zip

Mission 34

################
# MISSION 0x34 #
################

## EN ##
The password of maia is surrounded by trash 

## ES ##
La password de maia esta rodeada de basura

There is a file, trash in the home directory.

strings trash

This will give cleartext that looks like a password. You might have to remove the first few letters to make it work.

Mission 35

################
# MISSION 0x35 #
################

## EN ##
The user gloria has forgotten the last 2 characters of her password ... They only remember that they were 2 lowercase letters. 

## ES ##
La usuaria gloria ha olvidado los 2 ultimos caracteres de su password... Solo recuerdan que eran 2 letras minusculas.

For this, we can create our own wordlist. I am using python3 to do so.

# gloria.py
from string import ascii_lowercase

for c1 in ascii_lowercase:
    for c2 in ascii_lowercase:
        print(f"snip{c1}{c2}");

Then, a wordlist will be generated as follows.

python3 gloria.py > gloria.txt

Lastly, we can bruteforce using hydra.

Mission 36

################
# MISSION 0x36 #
################

## EN ##
User alora likes drawings, that's why she saved her password as ... 

## ES ##
A la usuaria alora le gustan los dibujos, por eso ha guardado su password como...

This mission is quite interesting. There is a file “image” on the same directory that has a lot of pound symbols. However, when I zoomed out of the terminal, I understood it was a QR code.

image 2
The QR Code

We can use any online software to decode the code.

Mission 37

################
# MISSION 0x37 #
################

## EN ##
User Julie has created an iso with her password.

## ES ##
La usuaria julie ha creado una iso con su password.

Here, we have to mount a file “music.iso”. I copied this to my local machine.

mkdir /tmp/music
sudo mount -o loop music.iso /tmp/music
unzip /tmp/music/music.zip -d /tmp
sudo umount /tmp/music
cat /tmp/pwned/alora/music.txt

Mission 38

################
# MISSION 0x38 #
################

## EN ##
The user irene believes that the beauty is in the difference.

## ES ##
La usuaria irene cree que en la diferencia esta lo bonito.

There are two files 1.txt and 2.txt. We just have to find the difference.

diff 1.txt 2.txt

One of the two is the password.

Mission 39

################
# MISSION 0x39 #
################

## EN ##
The user adela has lent her password to irene.

## ES ##
La usuaria adela le ha dejado prestada su password a irene.

We see a couple of files that we can use to get the password for the user “adela”.

openssl rsautl -decrypt -inkey id_rsa.pem -in pass.enc

Mission 40

################
# MISSION 0x40 #
################

## EN ##
User sky has saved her password to something that can be listened to.

## ES ##
La usuaria sky ha guardado su password en algo que puede ser escuchado.

On the directory, we have a “wtf” file that has a morse code. We can decode that using CyberChef. Also, please copy this morse code to your local machine.

Mission 41

################
# MISSION 0x41 #
################

## EN ##
User sarah uses header in http://localhost/key.php

## ES ##
La usuaria sarah utiliza header para http://localhost/key.php

If we curl on the given URL, we see a message.

Key header is true?

So, this means, we have to pass a header “key: true” in the request.

curl -H 'key: true' http://localhost/key.php

Mission 42

################
# MISSION 0x42 #
################

## EN ##
The password of mercy is hidden in this directory.

## ES ##
La password de mercy esta oculta en este directorio.
ls -A

The above command will give a file “…” that has the password.

Mission 43

################
# MISSION 0x43 #
################

## EN ##
User mercy is always wrong with the password of paula. 

## ES ##
La usuaria mercy siempre se equivoca con la password de paula.

If we check the “.bash_history” file, we get the password of the user paula.

Mission 44

################
# MISSION 0x44 #
################

## EN ##
The user karla trusts me, she is part of my group of friends. 

## ES ##
La usuaria karla confia en mi, es parte de mi grupo de amigos.

Here, the user paula belongs to a group “hidden”.

id

So, let’s find the files of the group.

find / -group hidden -type f 2>/dev/null

Mission 45

################
# MISSION 0x45 #
################

## EN ##
User denise has saved her password in the image.

## ES ##
La usuaria denise ha guardado su password en la imagen.

If we check the EXIF information of the image, we get the password.

exiftool yuju.jpg

Mission 46

################
# MISSION 0x46 #
################

## EN ##
The user zora is screaming doas!

## ES ##
La usuaria zora no deja de gritar doas!

There is a binary “doas” on the machine. This simply allows us to do commands as other users.

find / -name doas 2>/dev/null
doas -u zora bash

Mission 47

################
# MISSION 0x47 #
################

## EN ##
The user belen has left her password in venus.hmv

## ES ##
La usuaria belen ha dejado su password en venus.hmv

Here, we have to use the “HOST” header.

curl -H 'HOST: venus.hmv' http://localhost

Mission 48

################
# MISSION 0x48 #
################

## EN ##
It seems that belen has stolen the password of the user leona...

## ES ##
Parece que belen ha robado el password de la usuaria leona..

In this mission, there is a file stolen.txt that has the hash of the password. Therefore, we have to copy this hash to a file to our local machine and crack the password.

john leonahash --wordlist=$HOME/rockyou.txt

Mission 49

################
# MISSION 0x49 #
################

## EN ##
User ava plays a lot with the DNS of venus.hmv lately... 

## ES ##
La usuaria ava juega mucho con el DNS de venus.hmv ultimamente...

Here, we have to check the DNS server configuration.

cd /etc/bind/

One of the files contains the password.

Mission 50

################
# MISSION 0x50 #
################

## EN ##
The password of maria is somewhere...

## ES ##
El password de maria esta en algun lugar...

The last mission hints that there is a password somewhere on the machine. So, there is a high chance the user has reused the password. Also, I have already told you the password on this post.

Conclusion

In this way, we can get all 50 flags in the machine. However, I haven’t mentioned any hidden flags in this post. Keep supporting me and the HMV community.

Also read: Walkthrough of Looz from Vulnhub



5 5 votes
Article Rating
Subscribe
Notify of
guest
14 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments