$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Analyze network traffic with Modbus/TCP packets. Solution: Filter for custom function code 102, extract hex data from Modbus Data field, decode to ASCII to get the flag.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Analysis of network traffic containing standard Modbus/TCP packets and unusual transactions with a custom function code.
In the provided traffic.pcapng file, Modbus/TCP traffic is observed. Standard Modbus functions (e.g., 1 — Read Coils, 3 — Read Holding Registers) are used for legitimate activity, however packets with function code 102 (0x66) stand out among them.
Using tshark or Wireshark filters allows quick isolation of these packets:
tshark -r traffic.pcapng -Y "mbtcp.func_code == 102"
Upon detailed examination of packets with code 102, it was noticed that they contain data in the Modbus Data field. In particular, frame 35 contains a long hexadecimal string.
...
$ grep --similar