Make it smoke! Cisco Challenge Write-up
BSides Lisbon is the biggest security dedicated event in Portugal, with two days of talks, workshops, a CTF competition, and lots more. During BSides, some sidequests ranging from raffles to challenges appear that can give you prizes! This is a write-up of one of those challenges by Cisco/Talos.
In the booth of Cisco/Talos, we were presented with the following scenario (as it can be seen in the picture):
- An access point (AP) named
securitywith the password
- A 3d-printed pumpjack1.
- Some controlling system based on Arduino.
- The objective was to make it smoke somehow.
First thing first, connect to the network and do a quick network and port scan. Since it was an AP for everyone that wanted to do the challenge, several IP’s showed up, but only one interesting, the
10.10.10.1 with the port
As per Siemens documentation: By default, the protocol uses Port
502 as local port in the Modbus server2. Thus we are probably faced with something that speaks Modbus protocol.
With a little of search, you can find a lot of Modbus protocol clients in the wild, as well as some offensive toolkits.
Making it smoke!
Using the smod-1 by theralfbrown toolkit, I was able to connect to the Modbus system and interact with it.
Now I did know the UID of the Modbus, however even after exploring the DoS capabilities and all the reader modules I was not getting anywhere close to make it smoke.
So, after exploring a little more one Github, I found out this really nice modbus-cli by tallakt.
Even if it was not implemented with an offensive mindset like the previous tool, it allowed us to read, write and dump the memory of a Modbus device. Using it, we were able to read random parts of the memory, e.g., reading five words from the device starting from address
%MW100 (which corresponds to address
After trying to read random places of the memory using this tool and finding nothing but zero values, and decided to just dump everything into a file (the operation took around 20 seconds).
After dumping all the memory into a file, looking into the file:
The file keeps going on, with a lot of zero’s and a lot of random values. I guess that those random values were the result of all the participants trying to pwn it.
However, that seventh value caught my attention because it was a single round number. Maybe that was the speed of the rotation mechanism of the pumpjack, maybe.
Checking if the dump was correct, with the same tool we could read that specific part of the memory:
And yep, the value was still there, but a bit higher (and we could observe the pumpjack rotating more quickly).
So the next step was to try to write some higher value there:
And then, higher:
And this was it, the increase in the rotation speed of the pumpjack triggered the smoke device that was connected to the Arduino!
This was my first time playing around with Modbus, and there is still a lot that I didn’t touch nor understood. Nonetheless, it was a nice kickstart.
Props to Cisco and Talos for coming up with the challenge and for the coffee mug and the snort. And pwning IoT is the best kind of pwn.