Post

Watch Tower

Challenge

  • CTF: HTB Business CTF 2023: The Great Escape
  • Name: Watch Tower
  • Category: Scada
  • Difficulty: Very Easy
  • Points: 600
  • Description: Our infrastructure monitoring system detected some abnormal behavior and initiated a network capture. We need to identify information the intruders collected and altered in the network.

Files

Download: ics_watch_tower.zip

1
tower_logs.pcapng: pcapng capture file - version 1.0

Modbus Packet Capture Analysis

This challenge starts with identifying all packets that could hold a flag such as HTB{}. The Wireshark capture had modbus packets that have different function codes such as: 1 Read Coil 2 Read Discrete Input 3 Read Holding Registers 4 Read Input Registers 5 Write Single Coil 6 Write Single Holding Register 15 Write Multiple Coils 16 Write Multiple Holding Registers

watchtower_1

When browsing the capture, Function Code: Write Multiple Registers (16) packets there are reference numbers. Clicking on the Reference Number: 99 field, in the bottom-left corner of Wireshark, we can see it is called modbus.reference_num. watchtower_2

Using tshark we can filter out all these reference numbers. Converting all these integers to ASCII characters could then be done with awk and the flag is displayed!

1
2
3
4
5
6
7
8
9
$ tshark -r tower_logs.pcapng -Y "modbus.func_code == 16"  -T fields -e 'modbus.reference_num'
52
76
82
48
80
..[snip]..
$ tshark -r tower_logs.pcapng -Y "modbus.func_code == 16"  -T fields -e 'modbus.reference_num' | awk '{split($0, a, " "); for(i=1; i<=length(a); i++) printf "%c", a[i]}'
4LR0P3Un8F-HTB{m0d8u5_724ff1c_15_un3nc2yp73d!@^}-r6ZJa0

We could also follow the TCP stream as follows and show data as HexDump:

watchtower_3

watchtower_4

Flag: HTB{m0d8u5_724ff1c_15_un3nc2yp73d!@^}

This post is licensed under CC BY 4.0 by the author.