CTFtime.org

Industrial Process

by 0xmzfr / OpenToAll

Rating:

Industrial process

Description

In company XXX, we have a big expertise in laser cutting and we are well informed about cybersecurity. We have setup a small honeypot to simulate the cut of some pieces. In our fake process, we have manufactured 25 pieces of 1 meter by 1 meter. We have found this really weird file thanks to a super effective detection tool. There was also a weird string :

893c539a84e6c96acf5f2ceea2ad9ef7be895580

This flag follow the following format : INSA([A-Z]*). Please submit it as INSA{$1}, for example if you find INSAAZERTY, submit INSA{AZERTY}. Weird File

SOLUTION

At first I thought that it was a hash and we have to crack the hash. I didn't even looked at the given file.

After a while I realized that we are given a file(:facepalm:).

When I googled the strings/hash I came across this tool called Cloakify. Okay so that mean we have to use that tool somehow to proceed.

Reading the README file I realized what was supposed to be done. Basically the given file will turn out to be something else when we will decloakify it.

➜ python2 decloakify.py tempList.txt ciphers/worldFootballTeams > pcap

This will give us a PCAP file. When we open the file it give us some error about missing bytes, I thought WE'll have to fix that issue but then @unblvr explained what might happened.

According to him

There's no missing data per se, it's just that the file stops suddenly
it could just be due to the creation process
I bet they didn't sniff some modbus connection, but crafted this with scapy or something

Okay that mean we didn't have to fix the PCAP then what do we do.

Well if we read the description the tool was laser cutter and if you look at those protocols Modbus/TCP there are Register values present.

alt text

So we need to extract those response values and analyze them.

➜ tshark -r pcap -Y modbus -T fields -E header=y -e frame.len -e modbus.regval_uint16

This will give us all those responses and since they are in tuple of 3 the best we could do is plot them on graph and see if it result in something.

First we put those values in a file. Now you can just plot this using python. Once plotted this will give you the flag.

Also all the part after the we found pcap was done by @unblvr

Original writeup (https://github.com/mzfr/ctf-writeups/tree/master/INShAck-2019/Industrial-process).

Comments