Cybati - Blackbox Challenge #1 - Step 7

This post is blog post 7 of 15 of the Cybati Blackbox #1 challenge.

Step 7:

Instruction: Execute Logic Attacks. Execute the Move and Fill logic attack. To stop the attack, execute the script again and click the Cancel button.

1. Click on “Click to Launch” to go back to the file directory window
   
   
2. Double click on “7. Execute Logic Attacks (WIZARD)”
   
   
3. The instructions in Step 7 ask to perform the “Move and Fill” attack. Click “Ok”.
   
   
4. It doesn’t appear to do anything. We need to set up the environment first.
5. Double click on “4. Initialize VirtuaPlant (WIZARD)“ and follow the rest of the steps as “Step 4” earlier in this document to get a working VirtuaPlant
   
   
6. While VirtuaPlant started, you may have noticed popup boxes saying which part of the simulation started on a particular server. If you missed those boxes, that’s ok. In the window for the process status controls, you can see which server this is running on.
   
   
7. It appears that this process is running on the “n12” server
8. If we look at the “World View” for the simulated bottling process, we see that this is running on “n5”
   
   
9. Let’s go back to the “CORE” screen and get further information on these hosts. Click on “CORE”.
   
   
10. Here we can see the two hosts we identified above
    
    
11. Right click on “n12”, select “Shell window” and then select “bash”
    
    
12. You should now have a regular Terminal window and we can run “ifconfig” to get the IP address of the virtual machine
    
    
13. Alternatively, you could have received the same IP information if you hovered over “tcpdump”, “tshark” or “WireShark”
    
    
14. Right click on “n5” and hover the mouse of “tcpdump” to get the IP information of this host
    
    
15. As you hover over objects in the overall “CORE” window, the IP information of the virtual system is displayed
16. For Mission 7, the question is asking who attacked when the action in Step 6 was performed. At this point, you should have the Bottle Filling simulation still running in the background. We have identified previously that “n12” is the virtual host who has the controls to the simulated bottling process.
17. Go back to the “Click to Launch” window and double click on “6. Host Tap Assignment (WIZARD)”
    
    
18. Click “Ok” to the informational popup box
19. Leave “Industrial” selected and click “Ok”
20. WireShark will open up and click “Ok” to the informational popup box
21. Wait for WireShark to fully initialize and for packets to scroll through the middle window
22. Go back to the “Click to Launch” window and double click on “7. Execute Logic Attacks (WIZARD)”
    
    
23. An attack wizard opens up giving us various options to alter the pre-configured/engineer approved process. “Move and Fill” is selected and asked to be performed in “Step 7”. Click “Ok”
    
    
24. If we go back to the simulated bottling process, we can see bad things are happening