Friday, May 5, 2017

BACnet - Bro - Spicy Part 4

So, in BACnet - Bro -Spicy Part 3, I went through building Docker images and starting containers running bacnet, bro, and spicy, and php and apache. These two containers share a volume on the host VM and use the host VM's network to access outside the container itself.

 This last post will describe the HMI and it's php script that takes the output from the bro log and uses it to determine which animated gif to display.  The one with the ctf flag is displayed for those IPs in the log which means they successfully crafted and sent a packet with the correct BACnet write-property command.

The Plan:

  1. Set up some virtual machines in my VMware environment to experiment. 
    1. Install the BACnet-stack on two: server and client. (see BACnet - Bro - Spicy Part 1)
    2. Install Docker and the rsmmr-hilti docker image on the bacnet server machine. (see BACnet - Bro - Spicy Part 2)
  2. Write a Bro script that uses the events created by the BACnet parser to log the source IP address from packets with the correct BACnet command. (see BACnet - Bro - Spicy Part 2)
  3. Install the php-apache docker image on the bacnet server machine and run it with the same shared volume as the rsmmr-hilti container where the log file is saved. (see BACnet - Bro - Spicy Part 3)
  4. Write a PHP webpage/script that shows the flag only to the IPs in the log file and a different page to all other IPs


4) Write a PHP webpage/script that shows the flag only to the IPs in the log file and a different page to all other IPs


  1. The index.php script is very basic and simply displays the normal.gif file unless the visiting IP address is in the bro log file in the shared volume of the Docker container. If the visiting IP is on the list, the alert.gif file is displayed, along with the flag as text over the top of the image.

<?php
$IPAddrsFile = "/tmp/bacnetCTF.log";
$IPAddrs = file($IPAddrsFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$normal = "images/normal.gif";
$alert = "images/alert.gif";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>BACnet Monitoring</title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    </head>
    <style>       
        h2 {
            position: fixed;
            left: 450px;
            top: 350px;
            color: orange;
        }
        body {
            background-color: #FFFFFF;
            background-repeat: no-repeat;
            background-size: 900px;
            <?php
                $visitor = (string)$_SERVER['REMOTE_ADDR'];
                    if (in_array($visitor, $IPAddrs)) {
                        echo "background-image: url(\"" . $alert . "\");\n";
                        echo "</style>\n";
                        echo "<h2>flag{PatYourselfOnTheBacNet}.</h2>";
                    } else {
                        echo "background-image: url(\"" . $normal . "\");\n";
                        echo "}\n</style>\n";
                    }
            ?>
    </body>
</html>

The normal.gif looks like this:


The alert.gif looks like this and the php script would write the flag text over the black area in the bottom right corner:


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)