SCADA Memories

Category: SCADA
300 points
Solved by JCTF Team

problem description

Solution

The port used is 502 which is known to be the port for the Modbus protocol. We first install a python library for Modbus: pip install pymodbus. And we do the following:

from pymodbus.client.sync import ModbusTcpClient
client = ModbusTcpClient('scada-memories.chal.intentsummit.org')
regs=[]
for i in range(200):
    regs += client.read_input_registers(address=i,count=10).registers if i == 0 else client.read_input_registers(address=i,count=10).registers[-1:]
with open('bla2', 'wb') as f:
    f.write(bytes(regs))

Now we examine the memory dump:

$ file bla2
bla2: gzip compressed data, last modified: Fri Nov 12 13:52:45 2021, max compression, original size modulo 2^32 133
$ cat bla | gzip --decompress  | file -
/dev/stdin: bzip2 compressed data, block size = 900k
$ cat bla | gzip --decompress  | bzip2 --decompress | file -
/dev/stdin: bzip2 compressed data, block size = 900k
$ cat bla | gzip --decompress  | bzip2 --decompress | bzip2 --decompress  | file -
/dev/stdin: ASCII text, with no line terminators
$ cat bla | gzip --decompress  | bzip2 --decompress | bzip2 --decompress
INTENT{whhhy_m0dbu5_1s_s0_h4rd}

We conclude that the flag is INTENT{whhhy_m0dbu5_1s_s0_h4rd}.