Defcon 28 tridium 95 CTF Biohack-village write-up

Posted on August 12, 2020September 6, 2020Categories Uncategorized

At defcon 28 our founder entered the bio-hacking village CTF testing devices. A CTF is testing real life programs or in this case medical devices where the people who set it up put in what is usually text, that we call a flag we have to find and then report. The team with the most points gets a big prize.

The biohacking village, uses real medical devices that we then get to check out and find the problems in. In the scenario I am discussing, we were given a log from a tridium 95, which we then then we have to find the problem in it and the flag and submit it. Think of it like an extremely complex puzzle, that is a ton of fun.

For the more technically advanced, we were given a pcap from the tridium 95 that is using the bacnet protocol. The protocol specifically was bacnet-apdu, the apdu stands for Application Layer Protocol Data Units.

pcap in wireshark from bio-hacking village defcon 28

As you can see this is just two machines, one claiming to be a dell seeing what device is using an internal IP address and the other is a MAC address, which stands for Media Access Control. A Media Access control is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment, or in other words a way to basically give a device it’s own unique fingerprint for that system.

I, of course was very interested in the bacnet protocol and went through the packets, and it wasn’t until I saw a packet that had a message in it that said something to the effect that “you’re still looking for the flag aren’t you?”, I knew I missed something. So, I went back up and reviewed the packets prior to that message and discovered there was communications between a honeywell and a device called a tridium 95. I then did some googling to find out what the tridium 95 does. From there I read what packets would be sending that type of code. That’s how I found the flag. I am not sharing what the flag looked like, but I will say what you think the flag is, isn’t in fact the accurate thing to submit.

What tools did you use?

Just wireshark, a tool to analyze pcaps with.