In 2023 at DEFCON 31, a few friends and I decided to tackle the Industrial Control Systems (ICS) Capture the Flag (CTF) competition. To our surprise, the four of us secured 2nd place with almost no prior experience in the ICS security space. With coming so close to winning the event we were hooked on it.

This year, in 2024, my team took first place by a whopping 37% more challenges solved than the next team. In this post, we will walk through the experience of winning the competition in 2024, tips for new competitors and I'll even go through the solution for my favorite challenge. Enjoy!

Preparation

From 2021-2023, I ran a workshop on heap exploitation at DEFCON. Last year, this took half of a day for myself and my buddy Kevin Choi. This year, the only activity I participated in was the Red Alert ICS CTF; the more time you spend on challenges, the more challenges you can solve. This year, we wanted to take the event more seriously by committing more time to it and preparing for it in advance. How do you even prepare for a CTF like this?

From reading articles about the event and posts on their Twitter, the Red Alert team seems to reuse challenges and challenge types from year to year. After participating last year, we consciously tried to store all our notes. We solved several challenges almost instantaneously this year from writing down solution steps and keeping scripts from the previous year. This gave us a major leg up on many reused or recycled challenges. The key takeaway is to look for patterns at the events and use this knowledge to your advantage.

Another preparation tip is researching the technologies used in ICS, such as Modbus, OPC-UA, and others. Our team had all of the clients/libraries already downloaded for interacting with the protocols and had detailed notes on how each protocol worked. If any of these ICS-specific protocols came up, we were able to solve these challenges very quickly since we only had to focus on the challenge properties and not how to simply interact with the challenge. Josue even attended a few ICS security conferences to get deeper ingrained in the ecosystem.

Event Atmosphere

Hack the Planet!

Most of my old day job was trying to find application vulnerabilities like XSS and SQLi. Although you get a nice dopamine hit from finding these issues, the high goes to a different level when affecting the physical world. The event has model boats, smart cities, oil rigs, and much, much more. Figure 2 shows the smart city setup, as an example. Seeing a boat crash, a city turn completely dark, or other things in the real world awakes the hacker in me. This is by far the coolest CTF to do to brag to your non-hacker friends as well ;)

One of my favorite challenges from 2023 was an SDR challenge. The video in Figure 3, shows me moving a crane using RF. It's super hype to break things in the real world:

Organizer Vibe

The Red Alert team is a group of very nice people from South Korea. They want you to solve the challenges and get super hyped when you do. Since they want you to solve the challenges, it almost feels like you're on the same team, which is an awesome feeling for a CTF. There is usually a group of them video taping you on attempts at first blood even, which is where the videos posted in this blog came from originally. I personally really like the folks who put on the event and hope they keep up the good work!

The organizers usually bring some cultural flare to lighten up the mood as well. When Squid Games was popular in 2023, they brought Dalgona (a cookie cut-out game) and several other games to play that were worth points. Having something to take my mind off of hacking for a little bit was good for me to do. Again, the vibe of the organizers is very laid back and fun :)

Strategy

The ICS CTF has some interesting quirks. As a result, there are unique techniques to consider when maximizing challenge solving.

Contest Area Time Limit

The contest area is only open from 10 am to 5 pm. Additionally, the Red Alert ICS CTF has many challenges that require physical access to devices or interaction with services running on a local network.

Knowing the limitations above, our team focused on the in-person challenges during the day. Before the day ended, we downloaded all of the challenge information for challenges that could be solved offline, such as pwn, reversing, and others. By doing this, we could solve the in-person challenges during the day and solve all others at night! After working on the challenges at night (until like 2 am), we returned the next day with 3 or 4 new flags most of the time. This drastically increased our velocity in solving the challenges.

All Challenges Are Worth the Same Amount of Points

Each challenge in a CTF is usually worth a variable amount of points. The amount of points a challenge is worth is typically correlated with the difficulty of it.

In the case of the ICS CTF, all challenges are worth 100 points. This means that an incredibly difficult challenge is worth the same as an incredibly easy challenge. From an optimization perspective, this means we should solve the easier ones first then move our way up the difficulty scale. In most CTFs with point and difficulty scaling, it comes down to the preference/skills of the individual. In the two years I did this CTF, almost none of the pwn and reversing challenges were solved since these are typically more difficult than the other categories. My advice is to then focus on the challenges that A) have more solves and B) are generally in easier categories.

Personally, I would like to see this part of the CTF change. The authors of these more difficult challenges worked super hard on them but they didn't see the light of day because of the scoring system even if they were interesting problems. For instance, there was an awesome Error Correcting Code (ECC) challenge that we spent some time on. However, we evaluated it as too difficult and shelved it for other released challenges after a few hours. From an optimization perspective, it was the proper decision. From a fun perspective, it sucked.

Ask For Help

The organizers of the event are extremely helpful. If you are working on a challenge that you can't figure out, ask for a hint. They are usually fairly good at pointing out flaws in your code or correcting some misunderstanding in your knowledge. Since the goal of the event is to have fun and learn about ICS security, I appreciate this approach compared to the try harder mentality. This was a major reason I decided to come back for this year.

Many of the in-person challenges require weird networking setups. If you cannot ping the machine, your system is not configured correctly. Asking for help on networking will drastically speed up the process of the in-person challenges as well, especially since there are short time limits when interacting with these challenges.

For the previous two years, an unfortunate reality is that many of the challenges either had incomplete information, such as missing files, or the prompt was incorrect. As an example, one challenge this year had an encrypted file system with a flag in it but we had to reverse engineer the bootloader to figure out how to decrypt the file system. On the first day of the event, the bootloader file was missing from the scoreboard, making the challenge impossible to solve. To avoid situations like this, I recommend asking for more information if the challenge is not working or doesn't make sense to you. For future events, I would love to see the organizers fix this; it felt like 75% of challenges were unsolvable on release which was frustrating to our team. The team is very receptive and open to fixing challenges but it's still frustrating to handle.

Favorite Challenge - All of the Lights

There were so many amazing challenges at the event - from crashing boats and planes to reversing ladder diagrams it - it was all fun. This challenge, turning on the lights for the city, took the cake for my favorite challenge so we will walk through this one.

Challenge Setup

My teammate Josue had worked on the same ICS challenge in separate years to no avail. This year, Andrew and I were able to solve this challenge. At the event, there is a smart city that needs the lights turned back on. However, the Human Machine Interface (HMI) has gone rogue and turned off the lights. Any attempt to turn the lights back on will result in them immediately being turned off again by the HMI. Figure 5 shows the setup of the network and my attacking notes.

For the challenge itself, you are given a Wireshark capture with packets that turn the lights on. To solve the challenge, you connect to a local network with the HMI and server that controls the lights. If you try to recreate the data in the TCP packets and send this to the server, nothing happens though.

The server for the device that controls the lights will only listen to packets coming from the HMI device. Additionally, the HMI will continue to transmit packets no matter what you do. So, how do we keep the lights on? This seems like a wonderful time to try ARP spoofing!

ARP Spoofing

The Address Resolution Protocol (ARP) is a protocol for resolving MAC addresses to IP addresses on a local network. The MAC address is required for the data link layer of the networking stack. When an ARP request is made to find the MAC of an IP over multicast, the device should respond with the MAC address.

The protocol is super simple. In fact, it is too simple. ARP entirely lacks authentication. If an attacker sees an ARP request for an IP they can respond with their MAC address instead! Since our MAC address is now paired with the victim's IP address, all data meant for that IP will be routed to our machine instead.

ARP spoofing can be used for Man-in-the-Middle (MitM) attacks to intercept or modify packets. Additionally, it can act as a denial of service to prevent a network request from reaching its final destination entirely.

Turning the Lights Back On

In the case of this exploit, we need to perform ARP spoofing against both devices. First, we need to spoof the HMI device in the eyes of the server that controls the lights. This is so that we can make requests to the server that controls the lights in the first place.

This is not enough though! The HMI will still continually send packets to the server to turn off the lights. So, we need to spoof the server in the eyes of the HMI! This way, the HMI will send packets to our computer instead of the server, effectively removing the turn off packets from the network.

To do the ARP spoofing, we used the classic arpspoof tool. This allows for ARP spoofing to a particular IP instead of the entire network all at once, which makes this attack possible when needing to do the spoofing against both devices independently. Admittedly, I don't understand how ARP spoofing to the different devices works but I came to this conclusion after a few hours of debugging. Here's the command to do this:

./arpspoof -i en0 -t <server_ip> <hmi_ip>
./arpspoof -i en0 -t <hmi_ip> <server_ip> 

Now that the server will receive our requests and the HMI can no longer send malicious requests, we are free to make requests to turn the lights back on. Fortunately for us, we can just replay the data in the Wireshark capture and do not need to worry about finding the specific bytes to perform the proper actions. The lights are back on! Watch the video in Figure 6 to see the exploit in action.

Conclusion

For the past two years, we spent most of our time doing this CTF at DEFCON. The organizers are helpful, the challenges are crazy fun and the people on my team were great to work with. This was also the first time I had ever won any sort of CTF so it was a super satisfying feeling to have the hard work pay off. Next year, I'm going to enjoy some other parts of DEFCON like the villages and talks but am happy I committed to competing at this event!

By some miracle, this ended up being a black badge event as well! Winning a black badge at DEFCON was a major life goal of mine; it felt like a dream that would never be met but I'm super blessed that the event was chosen as a black badge event two years in a row. Figure 7 is a picture of me holding this year's black badge if you're curious about what it looks like. Thanks to the organizers of the ICS CTF for putting on such an amazing event for the past few years. Thanks to my friends on Team Tesuji - Kevin Choi, Josue, Fabian, Alex Trudeau (who taught me how to use ADB) and others - for hopping into this crazy ride as well.

Feel free to reach out to me (contact information is in the footer) if you have any questions or comments about this article or anything else. Cheers from Maxwell "ꓘ" Dulin.