A Tour of the S4x17 ICS CTF

The S4x18 CTF will follow the lineage of the past contests in pitting players against a combination of real-world ICS 0days, foreverdays, and a few contrived problems that have their roots in bugs that we find and read about in ICS software. The contest has a good mix of easy, moderate, and very difficult problems. Problems focus roughly on reconnaissance and background information gathering challenges, exploiting systems, and performing forensic analysis on attacks by looking at binaries and pcaps.

Our expectation with the CTF is that players will form teams. While a few individual players did very well in the 2017 CTF, our challenges have a fairly wide range of technical skill – it pays to build a team with disparate backgrounds if you want to win a coveted Black Badge / permanent entry to the S4 Conference.

The 2017 contest featured a complete ICS network, including all of the main components seen on a real-world automation system. The contest network had PLCs, data-collecting OPC servers, data historians, HMI systems, and even a corporate email server and corporate workstations. ‘In the field,’ we featured a large motor with a variable frequency drive, relay-operated power systems, HVAC controller, and other typical field devices like serial converters. The picture below shows the Jeopardy style scoreboard from S4x17.


The idea behind the CTF continues to be modeling a typical (albeit insecure) process control network.

Challenges include some fairly easy ‘look up this info’ type questions, as well as some problems that are a lot more involved. Let’s look at one of the easier challenges from the S4x17 CTF.

The contest network had a few Allen-Bradley PLCs for players to interact with. An old and ‘known by the community’ issue with Micrologix PLCs running older firmware versions is that there is a backdoor passcode. When used to log into the Micrologix with Allen-Bradley’s software, this backdoor passcode lets anyone on the network wipe the program and configuration memory of the controller. This turns the PLC into nonfunctional controller until an engineer reprograms it.  In this case, there are many forum posts containing the passcode, and even a video showing how to do it. For example: https://www.youtube.com/watch?v=faJotzjFehI (see the video description for the passcode).

Many teams solved this challenge, since it just required a little Google-fu.

An example of a much more involved flag also comes from last year’s CTF:

In this challenge, players take a look at a commercial serial converter.  This particular converter was on the control system Level 2 network, and could be used to operate electrical outlets in the contest (the ‘how to operate the outlets’ was actually a second challenge, which only one team solved).

In this challenge, players were tasked to find the administrator password for the converter. As an aside, this administrative password could be used to modify the converter settings, potentially blinding operators to the state of their process. Modifying the configuration can also prevent operators from controlling their process. So, the 0day here is kind of a big deal, operationally. Using it would allow you to pull off a Ukraine-style outage, where attackers first opened circuit breakers, and then denied operators the ability to restore power.

Players were allowed to physically inspect the entire control systems network.  In this case, the device was clearly labeled on the CTF workbench with its IP address.  It was a Moxa MGate MB3170.  This particular serial converter had an 0day at the time of the CTF, namely that its administrative password could be retrieved without authenticating to the device.

Just one team successfully solved the challenge. They did so by downloading Moxa’s administrative software, and reverse engineering the Moxa proprietary communication protocol.  One of the Moxa function codes in their UDP/4800 protocol allows an unauthenticated user to retrieve a part of the device configuration, including the plaintext password.

As part of our contest, we provide full network captures to our sponsors.  It was interesting to sift through some of the unusual traffic around the Breakfast Serial challenge: players were nmap-scanning the controller, were running tools to try to read all of the Modbus registers (note: these commands were passed through the serial converter to a serial Modbus device, and probably caused by the other challenge).

Sometimes, looking through post-CTF pcaps can make us groan a little in sympathy.


A player most definitely read out the password, but apparently wasn’t aware that they had done so

In this example, the player read out the password using a private tool, but hadn’t realized it at first. Don’t worry — they did eventually solve the flag.  Several other players had discovered Moxa’s official tool, and started analyzing how the protocol worked, but had not succeeded in solving the challenge – but that’s okay, the individual who solved the challenge went on to release a Metasploit module for it. Now everyone can solve this problem easily.

In our next CTF article, we’ll look at another one of the very popular challenges: the Very Secure Cabinet. This challenge required players to pick the lock on a control cabinet, and open the door without triggering the tamper alarm, in order to get the flag. We will release the full build details on the cabinet, including source code, so you can build your own. While we won’t re-use this exact cabinet in the S4x18 CTF, we will most definitely have some breaking and entering challenges…