ctfs/2026-01-23-PC07-Team-R1/monkey-in-the-middle/README.md at master

Monkey in the Middle

While attending your annual spy training, you made an offhand comment about loving the game “Monkey in the Middle” as a child. Prove you’re still at the top of your game by using multiple spoofing techniques to eavesdrop, tamper, and steal a secure browser cookie.

NICE Work Roles

Vulnerability Analysis
Exploitation Analysis

NICE Tasks

T1359: Perform penetration testing
T1118: Identify vulnerabilities
T0591: Perform analysis for target infrastructure exploitation activities

Background

While enjoying a short lunch break at the mandatory annual spy training, you make an offhand comment about loving the game “Monkey in the Middle” as a child. The instructor makes a weird face and runs from the room, cackling like a maniac and muttering “MitM”. The next day, you find the lesson plan has been replaced with a hands-on workshop all about spoofing, intercepting, and tampering with communication on a local network! The instructor challenges you to prove you’re still a champion at “Monkey in the Middle” by stealing a SameSite: Strict cookie from his browser. Getting Started

Use the provided Kali machine to access the workshop’s network. The instructor reminds you that forwarding is enabled by default on the device. The instructor also tells you that there are six other hosts on the network:

mathserver.pccc, running a custom TCP server on port 9000
mathclient.pccc, opens a connection to mathserver.pccc
dnsmasq.pccc, provides DNS via dnsmasq
dnsvictim.pccc, uses the DNS service from dnsmasq.pccc
web.pccc, hosts a simple web server
webvictim.pccc, which uses Selenium to browse web.pccc

Tokens

The instructor provides a list of tokens to retrieve from these devices. The tokens are formatted as PCCC{some_words_here_??_????}. Token 3 uses the alternative format PCCC-some-words-here-??-???? to be a valid domain name.

Note the following tokens may be collected in any order, although they are designed to naturally lead up to the final task.

No grading is required.

Intercept the token sent by mathclient.pccc to mathserver.pccc on port 9000.
The mathserver.pccc will send this token when all of the math questions passed between mathclient.pccc and mathserver.pccc are answered correctly.
Intercept the DNS request from dnsvictim.pccc and find this token in the first label of the domain name.
    This token uses the alternative format PCCC-some-words-here-??-???? to be a valid domain name.
After a successful DNS lookup, the dnsvictim.pccc host tries to send this token to port 9001 at {token3}.target.pccc
This token is in the header of the HTTP request sent by webvictim.pccc.
The webvictim.pccc host types this token into the textarea on the page retrieved from web.pccc.
Combine all of these skills to steal a cookie from the webvictim.pccc host.
    The cookie is named tokenLax, and belongs to the domain external.target.pccc on port 80.
    This cookie is marked as SameSite: Lax.
Combine all of these skills to steal a cookie from the webvictim.pccc host.
    The cookie is named tokenStrict, and belongs to the domain external.target.pccc on port 80.
    This cookie is marked as SameSite: Strict.

System and Tool Credentials system/tool username password kali-vnc user password Question 1 230 points

Enter the token received from intercepting the communication between mathclient.pccc and mathserver.pccc. Unanswered3 attempts left Question 2 460 points

Enter the token received from mathserver.pccc after answering all the math questions correctly. Unanswered3 attempts left Question 3 230 points

Enter the token found in the DNS request sent by dnsvictim.pccc. Unanswered3 attempts left Question 4 460 points

Enter the token dnsvictim.pccc sends to {token3}.target.pccc. Unanswered3 attempts left Question 5 460 points

Enter the token in the header of the HTTP request from webvictim.pccc. Unanswered3 attempts left Question 6 690 points

Enter the token webvictim.pccc tries to type into the textarea of web.pccc. Unanswered3 attempts left Question 7 920 points

Enter the token found inside the tokenLax cookie. Unanswered3 attempts left Question 8 1150 points

Enter the token found inside the tokenStrict cookie. Unanswered3 attempts left