Challenge Information

  • Challenge Name: Bussing Around
  • Category: Forensics
  • Points: 10
  • Difficulty: /
  • Challenge Description:
    • One of the engineers noticed that an HMI was going haywire.
    • He took a packet capture of some of the traffic but he can’t make any sense of it… it just looks like gibberish!
    • For some reason, some of the traffic seems to be coming from someone’s computer. Can you help us figure out what’s going on?
  • File(s) Provided:
    • Filename: bussing_around.pcapng
  • URL(s):
    • url_here
  • Hint(s):

Approach & Solution

Approach

The only communication on the capture are between two entities: 172.20.10.6 & 172.20.10.2 The .6 entity initiates the communication with .2.

The only two modbus functions used in the capture are the following:

  • 5: Write Single Coil: Sets a single coil to ON (ff00) or OFF (0000) to control a binary output like a relay.
  • 6: Write Single Register: Writes a 16-bit value to a single holding register to set a numerical parameter like a setpoint.

The .2 host only responds by sending back the same information, therefore not useful to have. The following wireshark filter keeps only the interesting communication: modbus && ip.src == 172.31.10.6

To summarise the information, a python script extracted the following fields:

  • the function code
  • the register targeted
  • the value The information was exported into a .csv file for better analysis and visualisation.

Using Excel filters, we observe that the same registers are targeted:

  • Register 0
  • Register 4
  • Register 10

Register 4 & 10 have numbers that do not seem to have a meaning for us, however register 0 only contains 0 & 1’s as seen below:

Using the 0 & 1’s as binary values led us to reconstruct a password protected .zip file.

The metadata of the file contained the password.

Finally, reconstructing the .zip file and using the given password led us to a file called flag.txt, containing the flag of the challenge.

Key Learnings & Takeaways

  • What worked and what didn’t?
  • Insights gained:
  • New learnings:
    • Modbus usage and functions

References

Template last updated on: 2025-10-22