HackMyVM venus — wargame HOW TO with images. Missions : 30 31 32 33 34 35 36 37 38 39 40
Mission 30
- User kira seems to be hiding something in a php file.
- let’s curl the url
http://localhost/method.php - it returns a
iI dont like this method!
- hmmm… so we have to find another method to access this file.
- For http, there are different methods:
POST, GET, PUT, DELETE
- By default, the curl uses the
GETmethod - We can try the
PUTmethod, asPUTmethod is idempotent,i.e, for a single request it provides the same effect on the server as the effect of making several identical requests. - For those who are curious,
POSTmethod won't work, asPOSTmethod is not idempotent, i.e, each request will have a different effect on the server. curl -X PUT http://localhost/method.php
Mission 31
- Let’s get the data on
waiting.php
- Ok, so we have to use the
user-agentheader for this mission. curl http://localhost/waiting.php -H "user-agent: PARADISE"-His used to set header value
Mission 32
aliasesare used to store a particular commmand.- creating an alias
alias alias_name="command_to_run"- to view the aliases, all we have to do is type
aliasin the cmd
Mission 33
- Ok, so we have to extract the compressed file
1 : it is a tar archive
2 : since we don't have permission to create files in the home directory we create one in the /tmp dir
3 : extraction tar -xf zip.gz --directory /tmp/mission_33
x tell the tar to extract
f specifies the file
- now let’s go to the dir in
/tmpand we find the password
Mission 34
- If we cat the file we find all gibberish, nothing makes sense to us
- We can use
stringsto find the strings in the file strings trashwe can find the pass for the next mission ( we have to remove the first 2 letters)
Mission 35
- Ok so we have to find the last 2 letters of the password, by brute forcing using hydra
- For coming up with a wordlist for brute-forcing ssh, we can write a python script
import string
# storing the given password
known_pass = "v7xUVE2e5bjUc"
# stored all the lowercase letters
letters = string.ascii_lowercase
# used to generate the wordlist
for letter_1 in letters:
for letter_2 in letters:
new_pass = known_pass + letter_1 + letter_2
print(new_pass)- let’s run the code and store the output in a wordlist
python3 mission_35_wordlist.py > wordlist_35.txt - we are storing the output to
wordlist_35.txt - now we can use hydra to bruteforce
hydra -l gloria -P wordlist_35.txt venus.hackmyvm.eu -s 5000 -t 4 ssh
l takes a single user parameter
P takes the password wordlist
s takes the port number
t specifies the number of threads, 4 is recommended
- it might take a while
Mission 36
cat imagegives us a qr code, when i tried scanning it through my mobile, the qr was not getting recognized due to the#symbols- Now let’s try changing those
#symbols into blocks so that the qr can be scanned - First copy the qr and paste in on your local system and save the file
# Opening the file we saved which has the qr code, we use r to denote we are opening the file to read
with open('[path_of_the_file]', 'r') as qr:
lines = qr.readlines()
# we are reading line by line and replacing all the '#' symbols with a block google what (0x2588) is
for l in lines:
print(l.replace('#', chr(0x2588)), end='')- once we run this program we get a qr code which can be scanned by the phone, and we get the password for the next mission.
Mission 37
- Let’s try
strings music.iso - And we get the password for the next level
Mission 38
- We can use the
diffcommand - it is used to compare files line by line.
diff 1.txt 2.txt - we get the password for the next mission
Mission 39
- We have the private key
id_rsa.pem, public keyid_rsa.pub, and the encrypted filepass.enc openssl rsautl -decrypt -inkey id_rsa.pem -in pass.enc- We use
opensslto decrypt the files rsautlfor encrypting and decrypting files with RSA keysdecrypt- we get the password for the next mission
Give this a 👏 if you found it useful!
