M0dBu5

Adarsh Kumar
1 min readMar 20, 2024

--

Description

We intercepted a communication from a Modbus master to a slave on the RS485 bus as given below. Your goal is to craft a response packet as the slave with 73 (decimal) as slave data.

Master requirements are 05-02-00-00-00-01-85-BD.

Flag format: flag{XX-XX-XX-XX-XX-XX} or flag{XX-XX-XX-XX-XX-XX-XX}

Solution

According to the Modbus documentation, we can understand the given data:

  • 05: Slave number
  • 02: Function code, here it's Read Holding Register
  • 00 00: Register number offset, counting from register 0
  • 00 01: Number of registers read, incrementally from the offset
  • 85 BD: Two CRC (Cyclic Redundancy Check) bytes

Similarly, the slave’s answer would be:

  • 05-02-02-00-49-89-8E
  • 05: Slave number
  • 02: Function code
  • 02: Byte per register, holding 2 bytes
  • 00 49: Actual data, 73 in decimal
  • 89 8E: Two CRC bytes

To calculate the CRC, you can use online tools like this or use the provided script:

def ModRTU_CRC(buf):
crc = 0xFFFF
for byte in buf:
crc ^= byte
for _ in range(8):
if crc & 0x0001:
crc >>= 1
crc ^= 0xA001
else:
crc >>= 1
return crcif __name__ == "__main__":
user_input = input("Enter the buffer in the format xx-xx-xx-...: ")
buf = [int(byte, 16) for byte in user_input.split('-')]
crc = ModRTU_CRC(buf)
print("crc: {:02X} {:02X}".format(crc & 0xFF, (crc >> 8) & 0xFF))

Flag

flag{05–02–02–00–49–89–8E}

--

--

Adarsh Kumar

I'm Adarsh. Cyber-security student,CTF player . Team TheWiz( @thewizx01 )