MattAndreko.com

"hostess is a code-slaying dragon found deep within the core of the earth, unearthing magma and vulnerabilities single handedly while using the other hand to pet his cat"

OverTheWire Monxla Part 1

| Comments

I had a twitter follower recently inform me that OverTheWire had a new wargame up and running.  I was immediately excited and downloaded it.  Several days later, I actually was able to start tinkering with it.

I booted up the image, and proceeded to do some preliminary nmap scans.  I found a few services runinng:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
mandreko$ nmap -sV -p1-65535 -T4 192.168.188.134
Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-15 10:28 EST
Nmap scan report for 192.168.188.134
Host is up (0.0077s latency).
Not shown: 65511 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.2.20 ((Ubuntu))
6667/tcp  open  irc     Unreal ircd
8000/tcp  open  http    Icecast streaming media server
21342/tcp open  unknown
21768/tcp open  unknown
21951/tcp open  unknown
23917/tcp open  unknown
24578/tcp open  unknown
24783/tcp open  unknown
25275/tcp open  unknown
26791/tcp open  unknown
31308/tcp open  unknown
31418/tcp open  unknown
31874/tcp open  unknown
32704/tcp open  unknown
33039/tcp open  unknown
34466/tcp open  unknown
34538/tcp open  unknown
34957/tcp open  unknown
36199/tcp open  unknown
37213/tcp open  unknown
37628/tcp open  unknown
37956/tcp open  unknown

Based on the clue on the Monxla page, “Hint: how big is the page you are looking at?”, I connected to the webserver.

It looked like a fairly generic page, but I viewed the source, and found a huge amount of text commented out.  Since it was all alpha-numeric other than ending with a single “=”, I figured it was probably Base64.

I copied the text into a new file on my machine. I then decoded it and found out what type of file it was:

1
2
3
4
mandreko$ base64 -D monxla -o monxla.decoded
mandreko$ file monxla.decoded
monxla.decoded: PDF document, version 1.4
mandreko$ mv monxla.decoded monxla.pdf

When the PDF (available here) is then opened, it shows a report of running services that may need attacked. This is similar to “levels” in most wargames, I believe (I haven’t yet finished this wargame).

My next article in this series will show how to exploit the “Bookmarks Service”.

Comments