Skip to main content

Practical

Overview

Room URL: https://tryhackme.com/room/ICS-modbus-aoc2025-g3m6n9b1v4
Difficulty: Medium
Category: ICS/Modbus | Scada
Date Completed: 12/20/2025

Objectives

  • How SCADA (Supervisory Control and Data Acquisition) systems monitor industrial processes
  • What PLCs (Programmable Logic Controllers) do in automation
  • How the Modbus protocol enables communication between industrial devices
  • How to identify compromised system configurations in industrial systems
  • Techniques for safely remediating compromised control systems
  • Understanding protection mechanisms and trap logic in ICS environments

Table of Contents

Introduction
Walk Through
Lessons Learned
Resources

Introduction

This challenge, part of TryHackMe's Advent of Cyber 2024 event, presents a sophisticated industrial control system (ICS) compromise scenario where attackers have weaponized the Modbus protocol to sabotage Christmas deliveries. The challenge falls squarely in the Industrial Control Systems (ICS) / SCADA Security category, simulating a real-world attack pattern similar to the FrostyGoop malware discovered in early 2024.

Understanding the Modbus Protocol

Modbus, developed in 1979, remains one of the most widely deployed industrial protocols despite having zero built-in security:

  • No authentication: Anyone who can reach port 502 can issue commands
  • No encryption: All communication occurs in plaintext
  • No authorization: No concept of permissions or access control
  • No integrity checking: Beyond basic checksums, no cryptographic validation

The protocol organizes data into four types:

  • Coils: Digital outputs (boolean on/off values)
  • Discrete Inputs: Digital inputs (read-only boolean values)
  • Holding Registers: Analog outputs (16-bit integers, writable)
  • Input Registers: Analog inputs (16-bit integers, read-only)

Walk Through

  1. Initial Reconnaissance
    1. nmap -sV -T4 -p- -vv <targetip>
    • Pasted image 20251220200938.png
  2. Visual Confirmation
    1. http://<targetip>
    • Pasted image 20251220200735.png
  3. Modbus Reconnaissance JuptyerLabsFile
    • Pasted image 20251220184502.png
    • Pasted image 20251220184509.png
    • Pasted image 20251220184524.png
    • Pasted image 20251220184537.png
    • Pasted image 20251220184545.png
    • Pasted image 20251220184553.png
    • Pasted image 20251220184604.png
  4. Complete Reconnaissance Script
    • Pasted image 20251220180339.png
  5. Safe Remediation
    • Pasted image 20251220180453.png
  6. Visual Confirmation
    • Pasted image 20251220180800.png

Lessons Learned

  • Unauthenticated Network Protocols The Modbus protocol provides no authentication mechanism. Anyone who can reach port 502 can read and write values without proving their identity. This is equivalent to leaving database credentials as "admin/admin" in production—except worse, because there's no concept of credentials at all.
  • Network Segmentation Failure Industrial control systems should operate on isolated networks with strict firewall rules. The TBFC system had its Modbus port directly accessible, violating the principle of defense-in-depth. In a properly architected environment, the PLC would only accept connections from authorized engineering workstations on a separate VLAN.
  • Lack of Change Detection While the attacker implemented their own "protection" mechanism, the legitimate system had no intrusion detection, no baseline monitoring, and no alerting. The compromise went unnoticed until citizens started complaining about wrong deliveries.
  • Insufficient Input Validation The system blindly accepted any value written to registers without validating if those values made logical sense. A properly designed system would reject out-of-range values or require multi-step confirmation for critical changes.

Resources

TryHackMe
SCADA for Beginners
ICS
Pymodbus

Back to top