forensicsfreeeasy

Shush Protocol

hackthebox

Task: Analyze network traffic with Modbus/TCP packets. Solution: Filter for custom function code 102, extract hex data from Modbus Data field, decode to ASCII to get the flag.

$ ls tags/ techniques/

pcap tshark modbus custom-protocol

protocol_analysisdata_extraction

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Shush Protocol — HackTheBox

Description

Analysis of network traffic containing standard Modbus/TCP packets and unusual transactions with a custom function code.

Analysis

In the provided traffic.pcapng file, Modbus/TCP traffic is observed. Standard Modbus functions (e.g., 1 — Read Coils, 3 — Read Holding Registers) are used for legitimate activity, however packets with function code 102 (0x66) stand out among them.

Using tshark or Wireshark filters allows quick isolation of these packets:

tshark -r traffic.pcapng -Y "mbtcp.func_code == 102"

Upon detailed examination of packets with code 102, it was noticed that they contain data in the Modbus Data field. In particular, frame 35 contains a long hexadecimal string.

Solution

...

$ grep --similar

Similar writeups

[forensics][Pro]Hens can type?— bluehensctf
[forensics][Pro]Новый сотрудник 2 (New Employee 2)— hackerlab
[misc][Pro]Pechatnaya Mashinka— hackerlab
[crypto][Pro]Одноразовый блокнот (One-Time Pad)— hackerlab
[forensics][Pro]Сверхсекретный Шпион— duckerz