← Back to blog

Knock Knock

May 18, 2024 · Hack The Box / Business CTF 2024 icsmodbuspcapsession-hijacking

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Knock Knock
  • Category: ICS
  • Difficulty: Medium
  • Points: 1000
  • Description: During their mission inside Vault 79, the crew inadvertently trips an unmarked sensor not shown on the schematics and blueprints, triggering the Vault’s automated defense system. The main and secondary doors slam shut, and the walls begin slowly closing in, threatening to crush the crew inside. With time running out, the crew quickly gathers around the maintenance console, where they have already collected significant information about the custom protocol used on top of Modbus to interact with the PLC controlling the doors. The hackers spring into action, aiming to hijack the session of the operator program that was activated. Can you make it out alive before time runs out?

Writeup

So basic flow was:

  1. Read the PCAP to find out what the custom function code was (102)
  2. Analyze the 102 traffic to figure out what some of the custom protocol function codes were (there is some terminology overlap here, I’m talking about the function codes inside a 102 packet.
  3. Proceed to spend about 3 hours banging your head against the wall implementing a custom tcp framer and getting all the traffic to be properly generated. If I knew the Python library better, I might have been able to do this better?
  4. Proceed to experiment and figure out what custom protocol functions codes are valid (brute force and look at error codes)
  5. Experimentally determine what each code does
  6. Not really figure out which one enables the writes to coils, but find that a certain combination works like magic