master
Raw Download raw file

Token 2: Math Server Token

Token: [NOT YET CAPTURED]

Objective

The mathserver.pccc sends this token when all math questions passed between mathclient and mathserver are answered correctly.

Hosts

  • mathclient.pccc: 10.0.91.132
  • mathserver.pccc: 10.0.91.130
  • Port: 9000

Protocol Analysis

Message Format

<sha256_hash>,<unix_timestamp_ms>,<A> <op> <B> is <Z>

Example:

5a69c024434a1e42a450e0a39c218b94663ae8c21d6633f23f59b868c9ad27ec,1769191792514,3965 + 5689 is 798

Protocol Flow (observed)

  1. Client sends: Eavesdrop Token: PCCC{...}
  2. Server sends: Question (with intentionally wrong math)
  3. Client evaluates math, sends INCORRECT, closes connection

Key Observations

  • Server ALWAYS sends wrong math in questions
  • Client responds INCORRECT and disconnects
  • Hash protects message integrity (can’t modify equation without breaking hash)
  • Hash algorithm unknown (not simple SHA256 of message)
  • Protocol is bidirectional - client also sends questions to server with valid hashes

Approaches Tried

1. Answer INCORRECT (correct evaluation)

  • Result: Server echoes INCORRECT and closes

2. Answer CORRECT (lie about wrong math)

  • Result: Server rejects

3. Reflect server’s question back

  • Result: Server rejects (probably checks for duplicates)

4. Fix equations, keep hash

  • Result: Client accepts for a few rounds, but eventually fails
  • Hash mismatch detected somewhere

5. Spoof correct math to client (keep server’s hash)

  • Theory: If client doesn’t verify hash, it will respond with its own valid question
  • Status: Untested

Current Best Approach

The server continues when it receives valid questions (with proper hashes). The only source of valid hashes is the client. Strategy:

  1. Intercept server→client: Fix math, keep original hash
  2. Forward client→server unchanged: Client’s questions have valid hashes
  3. Hope: Client doesn’t verify incoming hashes
python3 math_spoof.py

Or echo approach - send previous question instead of INCORRECT:

python3 math_echo.py

Setup Commands

# Terminal 1 & 2: ARP spoof
arpspoof -i eth1 -t 10.0.91.132 10.0.91.130 &
arpspoof -i eth1 -t 10.0.91.130 10.0.91.132 &

# Terminal 3: iptables redirect
iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000

# Terminal 4: proxy
python3 math_echo.py