Skip to content

ICS_CTF Exploit

> The content of the ICS CTF competition comes from the author's own experience in playing the game. If there is something wrong, please forgive me.

Exploit is a variety of exploits for a vulnerability, and there are many ways to exploit a vulnerability. For the industrial control field, in fact, the most common use methods: configuration utilization, communication hijacking, Web penetration.

Configuration Utilization

Configuration is the core of the industrial control scene, and is the core content of the industrial control programming and implementation functions. If you do not understand the configuration, please learn the related books of the industrial control system configuration in the automation field. The best way to learn is to get the relevant product manual and learn about the content of the manual.

Configuration utilization:

  1. Force IO (the most useful debugging method)
  2. Engineering encryption and decryption (engineering encryption is a protection measure for PLC, but there is still the possibility of being cracked)
  3. Upload and download (basic concept please make up for it)
  4. The memory distribution of target devices such as PLC (the basic concept please make up for it)
  5. Other additional features (such as ftp, ntp, etc.)

Communication hijacking

Communication hijacking is the most classic use in industrial control scenarios, such as ARP hijacking, PLC/HMI communication hijacking, PLC session hijacking, and PLC command execution. Communication hijacking method:

  1. ARP hijacking, ARP hijacking can block the communication between PLC and other devices. Since the project will have interactive addresses such as write dead IP, it may not be useful, but it is worth a try.
  2. PLC/HMI communication hijacking, using bypass equipment to access or control PLC equipment, forcibly rewriting or outputting IO
  3. PLC command execution, the most sensitive part of the industrial control equipment is equipment down (unrecoverable), equipment start and stop, equipment forced update parameters, etc. These can have a greater impact on the general process.

Web penetration

Target enterprises often have Web-based industrial control applications, such as publishing process release pages, user databases and other pages, which are basically the same as weekday Web topics.

  1. Weak password (common in industrial control, manufacturer default password in industrial equipment)
  2. Command injection (commonly used, need to audit Web project source code)
  3. Directory traversal (simple hand test, difficult to use, need to be combined with uploading and other functions)
  4. Preset backdoors (more difficult to find, need to combine reverse and web penetration)
  5. SQL class injection (simple)
  6. XSS is basically useless here (basically not encountered)
  7. Project file leaked (project files such as .git/.idea/.project are leaked)