Watch Tower
Challenge
- CTF: HTB Business CTF 2023: The Great Escape
- Name: Watch Tower
- Category: Scada
- Difficulty: Very Easy
- Points: 600
- Description: Our infrastructure monitoring system detected some abnormal behavior and initiated a network capture. We need to identify information the intruders collected and altered in the network.
Files
Download: ics_watch_tower.zip
1
tower_logs.pcapng: pcapng capture file - version 1.0
Modbus Packet Capture Analysis
This challenge starts with identifying all packets that could hold a flag such as HTB{}. The Wireshark capture had modbus packets that have different function codes such as:
1 Read Coil
2 Read Discrete Input
3 Read Holding Registers
4 Read Input Registers
5 Write Single Coil
6 Write Single Holding Register
15 Write Multiple Coils
16 Write Multiple Holding Registers
When browsing the capture, Function Code: Write Multiple Registers (16) packets there are reference numbers. Clicking on the Reference Number: 99 field, in the bottom-left corner of Wireshark, we can see it is called modbus.reference_num.
Using tshark we can filter out all these reference numbers. Converting all these integers to ASCII characters could then be done with awk and the flag is displayed!
1
2
3
4
5
6
7
8
9
tshark -r tower_logs.pcapng -Y "modbus.func_code == 16" -T fields -e 'modbus.reference_num'
52
76
82
48
80
..[snip]..
tshark -r tower_logs.pcapng -Y "modbus.func_code == 16" -T fields -e 'modbus.reference_num' | awk '{split($0, a, " "); for(i=1; i<=length(a); i++) printf "%c", a[i]}'
4LR0P3Un8F-HTB{m0d8u5_724ff1c_15_un3nc2yp73d!@^}-r6ZJa0
We could also follow the TCP stream as follows and show data as HexDump:
Flag: HTB{m0d8u5_724ff1c_15_un3nc2yp73d!@^}