Last Wednesday I participated in my first Capture The Flag event: Hack the Boat, hosted by ON2IT at their headquarters in Zaltbommel. A live maritime OT (Operational Technology) CTF inside “THE GRID” — controlling a simulated military cargo vessel’s ballast system. We got second place.
This post is a walkthrough of the exploit path we took, and a few lessons I learned along the way.
The Setup
Kali Linux live ISO running inside a QEMU VM on my laptop. I made a huge mistake early on: I started the VM with default networking (QEMU user-mode NAT), which meant the VM couldn’t see anything else on the LAN. The target was at 192.168.9.131 and my host was at 192.168.9.121 — same subnet, but the VM was trapped behind QEMU’s internal NAT.