Menu
Article ics

TryHackMe: Attacking ICS Plant #2

Tony J

Tony J

• 3 min read
TryHackMe: Attacking ICS Plant #2

TryHackMe: Attacking ICS Plant #2 by dainok

The room Attacking ICS Plant #1 is a prerequisite. You should complete it and download scripts from there. The same scripts can be used to complete this room.

Before attacking the plant, identify the following registries:

  • open/close the feed pump (PLC_FEED_PUMP);
  • tank level sensor (PLC_TANK_LEVEL);
  • open/close the outlet valve (PLC_OUTLET_VALVE);
  • open/close the separator vessel valve (PLC_SEP_VALVE);
    *wasted oil counter (PLC_OIL_SPILL);
  • processed oil counter (PLC_OIL_PROCESSED);
  • open/close waste water valve (PLC_WASTE_VALVE).

VirtuaPlant can be downloaded from GitHub.

Task 2 Flag #1

Let the oil overflow the tank for at least 60 seconds. Then connect and get the flag1: http://10.10.246.71/flag1.txt.

Mind that the simulation should be reset before starting by pressing the ESC button. If the flag cannot be obtained, try to reset the room and start the attack again.

Read flag1.txt

Just browse to the URL listed above

Answer [REDACTED]

Task 3 Flag #2

Let the oil flow through the waste water valve only. Wait until the counter reaches 2000. Then connect and get the flag2: http://10.10.246.71/flag2.txt.

Mind that the simulation should be reset before starting by pressing the ESC button. If the flag cannot be obtained, try to reset the room and start the attack again.

Read flag2.txt

Ok so browsing the root of the webserver we get a remote desktop of the plat...

We need to Let the oil flow through the waste water valve only, so that means we probably need to shut off the Separator Vessel Valve and open the Outlet Valve.

First thing we need to do is head over to https://tryhackme.com/room/attackingics1 and grab the task files. If not already installed you will need pymodbus

pip3 install pymodbus

Once installed we can use discover.py to start to see the registers

╰─⠠⠵ python3 discovery.py 10.10.246.71
 a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p
[0, 1, 1, 0, 0, 1, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0]
[0, 1, 1, 0, 0, 1, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0]
[0, 1, 1, 0, 0, 1, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0]

As we watch the registers change and the plant react we can start to fill out table to show what each register controls.

Register Description
a 0 = Stop Feed Pump
b 0 = Stop Plant
c 0 = Stop Outlet Valve
d
e
f 1 = Close Seperator Vessel Valve
g value = count of drops through water Valve
h
i
j
k
l
m
n
o
p

Using what we have observed we can gues that the register [REDACTED] is the measure of drops past the Water Valve, we can change this registers value and claim our flag.

python3 set_registry.py 10.10.246.71 [REDACTED] 2001

Answer: [REDACTED]

Share
Show Comments

Topics

ctf: 55 TyrHackMe: 37 tryhackme: 32 hacking: 32 boot2root: 19 enumertaion: 17 python: 9 security: 8 lfi: 6 Getting Started: 5 windows: 5 AdventOfCyber2: 5 ubuntu: 5 BufferOverflow: 3 php: 2 exploit: 2 Linux: 2 IDOR: 2 reverse engineering: 2 OWASP: 2 >blog: 2 sudo: 2 AdventOfCyber: 2 adventofcyber2023: 2 oxidized: 2 nginx: 2 ssl: 1 kubernetes: 1 aoc: 1 AdventOfCyber3: 1 usb: 1 dns: 1 letsencrypt: 1 javascript: 1 bypass: 1 authentication: 1 firefox: 1 containers: 1 retropi: 1 ai: 1 chatbot: 1 password cracking: 1 hydra: 1 crunch: 1 cewl: 1 wfuzz: 1 nessus: 1 pwndoc-ng: 1 dodge: 1 n64: 1 raspberry: 1 microsoft: 1 rat: 1 social engineering: 1 microsoft teams: 1 docker: 1 ssti: 1 teams: 1 sqlmap: 1 raspbery pi os: 1 workspace: 1 citrix: 1 raspberry pi: 1 git: 1 pi: 1 ics: 1 ot: 1 modbus: 1 stream: 1 serialisation: 1 serialization: 1 volatility: 1 forensics: 1 SQLi: 1 serial: 1