From 30bd8dfd02ee1092bcd4f1915a059adee844fc9b Mon Sep 17 00:00:00 2001 From: Eun0us Date: Thu, 26 Mar 2026 17:33:36 +0000 Subject: [PATCH] write-up: IoT/Nurse_Call/README.md --- IoT/Nurse_Call/README.md | 124 +++++++++++++++++++++++++++++++++------ 1 file changed, 106 insertions(+), 18 deletions(-) diff --git a/IoT/Nurse_Call/README.md b/IoT/Nurse_Call/README.md index aa4445c..3fa28e3 100644 --- a/IoT/Nurse_Call/README.md +++ b/IoT/Nurse_Call/README.md @@ -1,25 +1,113 @@ -# Nurse Call -- Solution +# Nurse Call -## Overview -Connect to the maintenance terminal and investigate phantom calls from Room 013. +| Field | Value | +|-------|-------| +| Category | IoT | +| Difficulty | Easy | +| Points | 200 | +| Author | Eun0us | +| CTF | Espilon 2026 | -## Steps +--- -1. Connect: `nc 1337` -2. Read `logs/appels.log` -- notice Room 013 phantom calls, especially the last line: - `payload room 013: 0x4c41494e` -3. Read `logs/reseau.log` -- confirms `0x4c41494e -> ASCII: "LAIN"` -4. Read `logs/maintenance.log` -- technician says to use `reveil.sh --id` with the payload ID -5. Optionally read `config/navi-care.conf` for exact syntax: `reveil.sh --id ` -6. Execute: `./tools/reveil.sh --id LAIN` -7. Flag is printed: `ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}` +## Description -## Key insight -The hex payload `0x4c41494e` is ASCII for "LAIN". The player must decode this -and use it as the module identifier with the wake tool. +You gain access to the maintenance terminal of the patient call system at Clinique Sainte-Mika. +The system reports phantom calls coming from a sealed room. + +The previous technician did not finish his investigation. His session was left open. + +Explore the logs, understand the anomaly, and find what hides in Room 013. + +- Terminal: `tcp/:1337` + +Format: **ESPILON{flag}** + +--- + +## TL;DR + +Connect to the maintenance terminal. Read the logs to find phantom calls from Room 013 with +payload `0x4c41494e`. Decode the hex to ASCII to get `LAIN`. Run `./tools/reveil.sh --id LAIN` +to wake the module and receive the flag. + +--- + +## Tools + +| Tool | Purpose | +|------|---------| +| `nc` | Terminal access | +| Hex-to-ASCII decoding | Convert `0x4c41494e` | + +--- + +## Solution + +### Step 1 — Connect + +```bash +nc 1337 +``` + +> 📸 `[screenshot: maintenance terminal with open session from the previous technician]` + +### Step 2 — Read the call log + +```bash +cat logs/appels.log +``` + +The log shows repeated phantom calls from Room 013. The last line: + +``` +[ALERT] Room 013 — unknown payload: 0x4c41494e +``` + +> 📸 `[screenshot: appels.log showing the phantom call with hex payload]` + +### Step 3 — Decode the payload + +```python +bytes.fromhex("4c41494e").decode() # 'LAIN' +``` + +Or: `0x4C = L`, `0x41 = A`, `0x49 = I`, `0x4E = N` → `LAIN` + +### Step 4 — Confirm in the network log + +```bash +cat logs/reseau.log +``` + +Contains: `0x4c41494e -> ASCII: "LAIN"` + +### Step 5 — Read the maintenance log for the command syntax + +```bash +cat logs/maintenance.log +``` + +The previous technician wrote: *"Use reveil.sh --id with the payload ID."* + +Optionally: + +```bash +cat config/navi-care.conf +``` + +Shows exact syntax: `reveil.sh --id ` + +### Step 6 — Wake the module + +```bash +./tools/reveil.sh --id LAIN +``` + +> 📸 `[screenshot: reveil.sh printing the flag after receiving the LAIN module ID]` + +--- ## Flag -`ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}` -## Author -Eun0us +`ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}`