This post explore my second TryHackMe room: Attacking ICS Plant #2 . Because the VM can be unresponsive, I also provide the OVA for offline labs.

The room allows attacking a simulated refinery plant, gaining basic knowledge on ICS protocol weakness.

Task 1

The Attacking ICS Plant #1 room (get the offline version) is a prerequisite: complete it and download example scripts from there.

The first task requires understanding how the plant works. Use the discovery.py script and see how registries change.

We can observe:

• when the feed pump is filling the oil storage unit, registry 1 = 1 (PLC_FEED_PUMP);
• when the oil storage unit is full, registry 2 = 1 (PLC_TANK_LEVEL);
• when oil flows to through the outlet valve, registry 3 = 1 (PLC_OUTLET_VALVE);
• when the water flows out, registry 8 = 1 (PLC_WASTE_VALVE) and registry 6 increases (PLC_OIL_SPILL);
• when the oil flows out, registry 4 = 1 (PLC_SEP_VALVE) and registry 7 increases (PLC_OIL_PROCESSED);

Task 2

The solution requires opening the feed pump while maintaining closed the outlet valve:

• registry 1 = 1 (PLC_FEED_PUMP)
• registry 3 = 0 (PLC_OUTLET_VALVE)

Modify an attack script and run it. After 60 seconds, get the flag1: http://MACHINE_IP/flag1.txt.

Note: reset the plant by pressing the ESC button before starting the attack.

Task 3

The solution requires opening the feed pump, the outlet valve, and the separator vessel valve while maintaining closed the wastewater valve:

• registry 1 = 1 (PLC_FEED_PUMP)
• registry 3 = 1 (PLC_OUTLET_VALVE)
• registry 4 = 1 (PLC_SEP_VALVE)
• registry 8 = 0 (PLC_WASTE_VALVE)

Modify an attack script and run it. After reaching registry 7 > 1000 while registry 6 < 2, get the flag2: http://MACHINE_IP/flag2.txt.