Dressrosa Reactor

hackthebox

English summary: Given an OPC-UA PLC server and a web-based SCADA HMI dashboard for a nuclear reactor. Goal is to exploit the OPC-UA interface to trigger a reactor meltdown and retrieve the flag.

ics scada plc industrial_control opcua opc_ua nuclear_reactor socket_io

ics_manipulationpersistent_writesopcua_exploitationsafety_system_bypasscontrol_rod_withdrawalcoolant_pump_disable

$ ls tags/ techniques/

ics scada plc industrial_control opcua opc_ua nuclear_reactor socket_io

ics_manipulationpersistent_writesopcua_exploitationsafety_system_bypasscontrol_rod_withdrawalcoolant_pump_disable

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Dressrosa Reactor — HackTheBox

Description

The Dressrosa Reactor hums with stability, quietly generating power under tight control. But beneath its calm surface lies an exploitable weakness. Breach the OPC-UA PLC interface, seize control of the system, and trigger a meltdown. Two ports: 154.57.164.64:32557 (OPC-UA PLC) and 154.57.164.64:31111 (Web HMI SCADA dashboard).

English summary: Given an OPC-UA PLC server and a web-based SCADA HMI dashboard for a nuclear reactor. Goal is to exploit the OPC-UA interface to trigger a reactor meltdown and retrieve the flag.

Analysis

Architecture

Port 31111: Web HMI (Nuclear Reactor SCADA dashboard with Socket.IO real-time updates)
Port 32557: OPC-UA PLC server requiring Basic256Sha256 SignAndEncrypt security mode

Web HMI (Port 31111)

The web interface displayed a full nuclear reactor control system with:

Reactor core metrics (temperature, pressure, power, control rods, fuel rods)
Cooling system (primary/secondary coolant, pumps)
Power generation (turbine, generator)
Safety systems (ECCS, SCRAM, radiation monitoring)
A flag HTML element populated via Socket.IO reactor_update events when meltdown conditions are met

OPC-UA Server (Port 32557)

Connected using opcua Python library with self-signed certificate:

from opcua import Client
c = Client('opc.tcp://154.57.164.64:32557')
c.set_security_string("Basic256Sha256,SignAndEncrypt,cert.pem,key.pem")
c.connect()

The server required SecurityMode 3 (SignAndEncrypt) with Basic256Sha256 policy. Generated a self-signed cert with openssl.

Browsed the OPC-UA node tree and found the full reactor data model under namespace 2. Checked AccessLevel attribute on all nodes to identify 5 writable nodes:

Node ID	Parameter	Default Value	Writable
ns=2;i=11	controlRods.insertedPercentage	50.0	Yes
ns=2;i=26	coolantPumps.primaryPump	True	Yes
ns=2;i=27	coolantPumps.secondaryPump	True/False	Yes
ns=2;i=38	emergencyCoreCooling.status	True	Yes
ns=2;i=41	scramSystem.armed	True	Yes

Solution

...