HackMyVM — Venus mission 21 to 29

HackMyVM venus — wargame HOW TO with images

Mission 21

  • now let’s copy the file to our home directory in our local system
  • scp -P 5000 iris@venus.hackmyvm.eu:~/eloise ~/
  • This looks like base64 encoded
  • cat eloise
  • Base64 encoded data will always have the following characteristic:
  • The length of a Base64-encoded string is always a multiple of 4
  • Only these characters are used by the encryption: “A” to “Z”, “a” to “z”, “0” to “9”, “+” and “/”
  • The end of a string can be padded up to two times using the “=”-character (this character is allowed in the end only) reference
  • Let’s decode it
  • so it is an image, open that image and you’ll find the password for the next level!!

Mission 22

  • lets copy the file to out local machine
  • scp -P 5000 eloise@venus.hackmyvm.eu:~/hi ~/
  • This is hexadecimal characters
  • Now we should revert them back, we can do this using xxd (man xxd)
  • xxd -r hi

Mission 23

  • So in this level we have to try searching all the names in the dict.txt file, if it exists in the /etc/xdg folder
  • while IFS= read -r line; do find /etc/xdg/$line 2>/dev/null ; done < dict.txt
  • Add IFS= option before read command to prevent leading/trailing whitespace from being trimmed.
  • The -r option passed to read command prevents backslash escapes from being interpreted.
  • then we are passing using the find command to search for the file using the variable line i.e each line of the dict.txt file
  • 2>/dev/null is used to dump all the error messages and show only the output
  • We get the password for isabel!!

Mission 24

There is a mistake, the file name is not repeated.txt it is different.txt

  • uniq -u different.txt
  • -u is used to only print unique lines

Mission 25

  • For this we can use crontabs read more; cron sceduler
  • let us create a cron job that copies all the files of the /free directory
  • let’s create a direcory mkdir /tmp/hj and let's just add a file - touch test
  • now open crontab using crontab -e
  • and add this i
  • what this does is it copies all the contents of /free and puts it to /tmp/hj, every minute

Mission 26

  • curl localhost

Mission 27

  • we have a .swp file read more, let's open it using vi .goas.swp after opening it, press colon :recover, we get this, hit enter.
  • now we have to brute force into lola’s account using these passwords, so let’s make this file a suitable wordlist,
  • go to the start of the file using gg and delete the first line using dd
  • now go down using the j key, and delete the --> using dw, go to the start of the next line and pres ., this repeates the previous step, i.e dw deletes the -->
  • now go down using j and press ., repeat these for all lines
  • now let’s save this, since we don’t have permission to save it in home directory we can save in the /tmp directory
  • :w /tmp/lola_dict.txt - saves the file in /tmp
  • Now to brute force the password, we can use hydra, let's copy the dict file to our local machine
  • scp -P 5000 ariel@venus.hackmyvm.eu:/tmp/lola_dict.txt ~/
  • hydra -l lola -P lola_dict.txt ssh://venus.hackmyvm.eu:5000
  • -l user
  • -P password file
  • [service://server[:PORT][/OPT]]

Mission 28

  • we can do this by navigating to the /var/www/html directory

OR

Mission 29

  • login to mysql mysql -p
  • we can find the user nina who also exists on the venus machine, so let's take her password!

Give this a 👏 if you found it useful!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hritesh J

Hritesh J is a student pursuing undergraduate studies in CS. Loves cybersecurity and playing ctfs and writing about them. “learning one new thing every day.”