Factory

Technical Walkthrough

Writeup

Challenge

• Name: Factory
• Category: ICS
• Difficulty: Easy
• Mode: hybrid

Summary

Factory provides a PLC ladder-logic printout and a diagram for a remote Modbus bridge. The target system starts in automatic mode with the inlet valve open and the outlet valve closed. The artifact documents the PLC slave address and key control coils. By switching the PLC into manual mode, stopping the inlet, and forcing the outlet valve, the system reaches the desired safe state and the remote status endpoint returns the flag.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• files/a12c7392-447e-40ef-9afd-3572c30cd698.zip: original HTB archive.
• analysis/extracted/PLC_Ladder_Logic.pdf: one-page ladder logic for water_storage_facility.
• analysis/extracted/interface_setup.png: remote Modbus bridge diagram with PLC slave address and coil map.
• analysis/menu-probes.txt: remote menu/status probing.
• analysis/modbus-read-probes.txt: accepted read-only Modbus frame tests.
• analysis/solve-transcript.txt: sanitized transcript from the successful run.
• solve/solve.py: reproducible solver.

Analysis

1. interface_setup.png identifies PLC-1 as Modbus slave address 82 decimal, or 0x52.
2. The same diagram lists the relevant coils:

- manual_mode_control at decimal 9947

- cutoff_in at decimal 26

- force_start_out at decimal 52

- cutoff at decimal 5

- force_start_in at decimal 1336

1. The ladder-logic PDF shows automatic/manual mode selection. When manual_mode_control is set, auto_mode drops and manual_mode becomes active.
2. In manual mode, cutoff_in drives stop_in, which stops the inlet branch.
3. In manual mode, force_start_out can drive the outlet valve branch as long as stop_out is not asserted.
4. The remote menu exposes status and Modbus command forwarding. Initial status showed automatic mode active, inlet open, outlet closed, and an empty flag placeholder.
5. Read-only frames such as 52 01 00 0c 00 01 were accepted without CRC, confirming the bridge expects a hex-encoded Modbus RTU ADU without the CRC bytes.
6. The solve sequence writes the minimum controls with function 0x05 single-coil writes:

- clear cutoff

- clear force_start_in

- set manual_mode_control

- set cutoff_in

- set force_start_out

1. Final status showed manual mode active, inlet closed, outlet open, and a returned HTB-format flag.

Solve

Run:

python3 ICS/Factory/solve/solve.py --host <TARGET> --port 31344

The solver connects to the menu service, sends documented Modbus single-coil writes without CRC, requests final system status, and prints the returned flag for harness capture.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• In ICS challenges, diagrams and ladder-logic labels are often the primary exploit documentation.
• Confirm the transport framing with read-only commands before writing coils.
• For PLC logic puzzles, target the control conditions that the ladder already exposes instead of trying to directly overwrite output coils that may be recalculated every scan.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Factory
• Category: ICS
• Difficulty: Easy
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-10T10:46:11Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Artifact extraction produced PLC_Ladder_Logic.pdf and interface_setup.png.
• The interface setup shows PLC-1 at Modbus slave address 82 decimal (0x52) and lists coil addresses for in_valve, out_valve, start, manual_mode_control, cutoff, cutoff_in, force_start_out, and force_start_in.
• The ladder logic shows manual mode can be selected via manual_mode_control; in manual mode cutoff_in drives stop_in, and force_start_out can drive out_valve.
• The remote instance at <TARGET>:31344 is a menu interface with Get status of system and Send modbus command.
• Initial live status shows auto_mode=1, manual_mode=0, in_valve=1, out_valve=0, and an empty placeholder flag.
• Read-only Modbus frames in the form slave function address count without CRC are accepted by the remote bridge and did not alter the system state.
• Current intended branch: use function 0x05 single-coil writes against documented coils to set manual mode, stop inlet flow, and force the outlet valve.
• solve/solve.py executed the controlled coil sequence and final status showed manual mode active, inlet closed, outlet open, and an HTB-format flag returned.
• The harness captured the raw flag into loot/flag.txt; non-loot transcripts are sanitized.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: ICS
• Challenge: Factory
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the challenge archive and inspect the PLC ladder-logic PDF plus remote-interface diagram.
2. Identify the PLC Modbus slave address from the setup diagram.
3. Extract the documented coil map for manual-mode selection, inlet stop, and outlet force controls.
4. Read the ladder logic to determine the intended safe-state controls instead of guessing raw output writes.
5. Probe the remote menu and status endpoint to establish baseline state.
6. Send read-only Modbus frames to validate that the bridge accepts hex-encoded Modbus RTU ADU bytes without CRC.
7. Use function 0x05 single-coil writes to enter manual mode, stop the inlet branch, and force the outlet branch.
8. Request final status and capture the returned flag through the harness.

Reusable Lessons

• For Modbus bridge challenges, test read-only frames first to learn whether CRC bytes are expected.
• Ladder logic can reveal safer intermediate control coils that survive PLC scan recalculation better than direct output-coil writes.
• Manual-mode interlocks are often the intended way to override broken sensor logic in an ICS puzzle.
• Keep raw status responses with flags out of analysis/; redact them and store the raw flag only under loot/.

Dead Ends

• RAG/private memory had no matching Factory solve pattern, so the solve relied on current artifact and live-service evidence.
• Direct source of the flag was not in the PDF/image; it required reaching the correct PLC state through the remote service.

Tool Quirks

• The remote service is a menu wrapper around a Modbus command forwarder, not a raw Modbus TCP endpoint.
• The command prompt accepts no-CRC hex frames such as slave function address value.
• The status JSON contains a flag string with braces; parsers should slice from the first { to the last } rather than using a non-greedy brace regex.

Evidence Paths

• analysis/extracted/PLC_Ladder_Logic.pdf
• analysis/extracted/interface_setup.png
• analysis/rendered/plc_ladder-1.png
• analysis/menu-probes.txt
• analysis/modbus-read-probes.txt
• analysis/solve-transcript.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: ICS
• Challenge: Factory
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the challenge archive and inspect the PLC ladder-logic PDF plus remote-interface diagram.
2. Identify the PLC Modbus slave address from the setup diagram.
3. Extract the documented coil map for manual-mode selection, inlet stop, and outlet force controls.
4. Read the ladder logic to determine the intended safe-state controls instead of guessing raw output writes.
5. Probe the remote menu and status endpoint to establish baseline state.
6. Send read-only Modbus frames to validate that the bridge accepts hex-encoded Modbus RTU ADU bytes without CRC.
7. Use function 0x05 single-coil writes to enter manual mode, stop the inlet branch, and force the outlet branch.
8. Request final status and capture the returned flag through the harness.

Reusable Lessons

• For Modbus bridge challenges, test read-only frames first to learn whether CRC bytes are expected.
• Ladder logic can reveal safer intermediate control coils that survive PLC scan recalculation better than direct output-coil writes.
• Manual-mode interlocks are often the intended way to override broken sensor logic in an ICS puzzle.
• Keep raw status responses with flags out of analysis/; redact them and store the raw flag only under loot/.

Dead Ends

• RAG/private memory had no matching Factory solve pattern, so the solve relied on current artifact and live-service evidence.
• Direct source of the flag was not in the PDF/image; it required reaching the correct PLC state through the remote service.

Tool Quirks

• The remote service is a menu wrapper around a Modbus command forwarder, not a raw Modbus TCP endpoint.
• The command prompt accepts no-CRC hex frames such as slave function address value.
• The status JSON contains a flag string with braces; parsers should slice from the first { to the last } rather than using a non-greedy brace regex.

Evidence Paths

• analysis/extracted/PLC_Ladder_Logic.pdf
• analysis/extracted/interface_setup.png
• analysis/rendered/plc_ladder-1.png
• analysis/menu-probes.txt
• analysis/modbus-read-probes.txt
• analysis/solve-transcript.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Factory
• Category: ICS
• Difficulty: Easy
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-10T10:46:11Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Artifact extraction produced PLC_Ladder_Logic.pdf and interface_setup.png.
• The interface setup shows PLC-1 at Modbus slave address 82 decimal (0x52) and lists coil addresses for in_valve, out_valve, start, manual_mode_control, cutoff, cutoff_in, force_start_out, and force_start_in.
• The ladder logic shows manual mode can be selected via manual_mode_control; in manual mode cutoff_in drives stop_in, and force_start_out can drive out_valve.
• The remote instance at <TARGET>:31344 is a menu interface with Get status of system and Send modbus command.
• Initial live status shows auto_mode=1, manual_mode=0, in_valve=1, out_valve=0, and an empty placeholder flag.
• Read-only Modbus frames in the form slave function address count without CRC are accepted by the remote bridge and did not alter the system state.
• Current intended branch: use function 0x05 single-coil writes against documented coils to set manual mode, stop inlet flow, and force the outlet valve.
• solve/solve.py executed the controlled coil sequence and final status showed manual mode active, inlet closed, outlet open, and an HTB-format flag returned.
• The harness captured the raw flag into loot/flag.txt; non-loot transcripts are sanitized.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.