From 8049f2b3a75cbd993d710c4522cdfc1dd43a66d4 Mon Sep 17 00:00:00 2001 From: Eun0us Date: Thu, 26 Mar 2026 17:33:48 +0000 Subject: [PATCH] write-up: OT/Schumann_Resonance/README.md --- OT/Schumann_Resonance/README.md | 161 ++++++++++++++++++++++---------- 1 file changed, 112 insertions(+), 49 deletions(-) diff --git a/OT/Schumann_Resonance/README.md b/OT/Schumann_Resonance/README.md index 0566c65..36a1179 100644 --- a/OT/Schumann_Resonance/README.md +++ b/OT/Schumann_Resonance/README.md @@ -1,74 +1,137 @@ -# Schumann Resonance -- Solution +# Schumann Resonance -## Overview -Raw BACnet/IP server simulating an environmental monitoring station at -Tachibana General Laboratories, Sub-basement 7. The device contains hidden -flag fragments XOR-encoded in object descriptions. Writing the Schumann -resonance frequency (7.83 Hz) to the tuning register reveals the flag. +| Field | Value | +|-------|-------| +| Category | OT | +| Difficulty | Medium | +| Points | 400 | +| Author | Eun0us | +| CTF | Espilon 2026 | -## Steps +--- -### 1. Device Discovery -Send a BACnet WhoIs broadcast to UDP port 47808. The device responds -with IAm: device instance **783** (reference to 7.83 Hz). +## Description + +The building management system at Tachibana General Laboratories runs BACnet/IP for +environmental monitoring. Sub-basement 7 was decommissioned years ago, but its BACnet +device is still broadcasting. + +The device description mentions "Schumann Monitoring Station." Some objects carry unusual +properties. + +Enumerate the device. Read every property. The resonance frequency holds the key. + +- BACnet/IP: `udp/:47808` + +Format: **ESPILON{flag}** + +--- + +## TL;DR + +Discover BACnet device 783 via WhoIs (device ID = Schumann frequency 7.83 Hz × 100). +XOR key = `0x0783`. Decode 7 fragment descriptions (hex-encoded XOR'd strings) to reconstruct +the flag. Alternatively: write `7.83` to AnalogValue:10 to activate the Resonance_Lock and +have the flag written automatically to CharStringValue:200. + +--- + +## Tools + +| Tool | Purpose | +|------|---------| +| Python 3 + `BAC0` | BACnet/IP discovery and read/write | +| XOR arithmetic | Decode fragment hex strings | + +--- + +## Solution + +### Step 1 — Device discovery + +Send a BACnet WhoIs broadcast to port 47808: ```python -# Using BAC0: import BAC0 -bacnet = BAC0.lite(ip="YOUR_IP/24") + +bacnet = BAC0.lite(ip="/24") bacnet.whois() -# -> Device:783 "Tachibana-ENV-SB7" +# → Device:783 "Tachibana-ENV-SB7" ``` -### 2. Enumerate Objects -Read the object-list property from Device:783: -- AnalogInput:0-3 -- normal environmental sensors (temp, humidity, pressure, CO2) -- **AnalogInput:4** -- EMF_Resonance = 7.83, description = **"PROTOCOL_SEVEN_CARRIER"** -- AnalogValue:10 -- Freq_Multiplier = 0.0 (writable!) -- AnalogValue:11-17 -- Fragment_0 through Fragment_6 (descriptions are hex strings) -- BinaryValue:100 -- Resonance_Lock = inactive -- CharStringValue:200 -- Research_Log = "Access Denied" +Device instance **783** → 7.83 Hz → **Schumann Resonance**. -### 3. Identify Key -Device instance 783 → 7.83 Hz → Schumann Resonance. -XOR key = `0x0783` (2-byte big-endian from device instance). +> 📸 `[screenshot: BACnet WhoIs response showing Device:783]` -### 4. Decode Fragments -Each Fragment_N has a description containing a hex-encoded XOR'd string. -XOR each byte with the alternating key bytes (0x07, 0x83): +### Step 2 — Enumerate objects + +Read the object-list from Device:783: + +| Object | Name | Note | +|--------|------|------| +| AnalogInput:0-3 | Temp, Humidity, Pressure, CO2 | Normal sensors | +| AnalogInput:4 | EMF_Resonance = 7.83 | Description = "PROTOCOL_SEVEN_CARRIER" | +| AnalogValue:10 | Freq_Multiplier = 0.0 | Writable! Hint: "set to Schumann harmonic" | +| AnalogValue:11-17 | Fragment_0 through Fragment_6 | Descriptions = hex strings | +| BinaryValue:100 | Resonance_Lock | inactive | +| CharStringValue:200 | Research_Log | "Access Denied" | + +> 📸 `[screenshot: object list showing Fragment objects and their hex descriptions]` + +### Step 3 — Identify the XOR key + +Device instance = 783 → 7.83 Hz → XOR key = `0x0783` (2-byte big-endian). + +Key bytes: `[0x07, 0x83]` applied cyclically. + +### Step 4 — Decode fragments (manual path) + +Read the `description` property of each Fragment AnalogValue: ```python -key = (0x07, 0x83) -for frag in fragments: - enc = bytes.fromhex(frag) - dec = bytes(b ^ key[i % 2] for i, b in enumerate(enc)) - print(dec.decode()) +fragments = [] +for i in range(7): + desc = bacnet.read(f"783 analogValue {11+i} description") + enc = bytes.fromhex(desc) + key = (0x07, 0x83) + dec = bytes(b ^ key[j % 2] for j, b in enumerate(enc)) + fragments.append(dec.decode()) + +flag = "".join(fragments) +print(flag) ``` -Concatenate all decoded fragments → the flag. +> 📸 `[screenshot: decoded fragment strings concatenating into the flag]` -### 5. Activate (Alternative Path) -Write `7.83` to AnalogValue:10 (Freq_Multiplier): +### Step 5 — Activate (alternative path) + +Write the Schumann frequency to AnalogValue:10: ```python -# WriteProperty: object=AnalogValue:10, property=presentValue, value=7.83 +bacnet.write(f"783 analogValue 10 presentValue 7.83") ``` -This sets BinaryValue:100 (Resonance_Lock) to active and writes the -flag to CharStringValue:200 (Research_Log). +This sets BinaryValue:100 (Resonance_Lock) to active and writes the flag to +CharStringValue:200 (Research_Log). -### 6. Read Flag -Read the presentValue of CharStringValue:200 (Research_Log). +Read the flag: -## Key Insights -- Device instance 783 is the key derivation hint (7.83 Hz) -- AnalogInput:4 description "PROTOCOL_SEVEN_CARRIER" confirms the Schumann connection -- Freq_Multiplier description says "set to Schumann harmonic to activate" -- Two solve paths: decode fragments manually OR activate and read Research_Log -- No authentication on BACnet -- a real-world building automation vulnerability +```python +flag = bacnet.read(f"783 characterstringValue 200 presentValue") +print(flag) +``` + +> 📸 `[screenshot: Research_Log returning the flag after Resonance_Lock activation]` + +### Key concepts + +- BACnet device instance 783 = `7.83` × 100 — the Schumann resonance frequency (7.83 Hz) +- `AnalogInput:4` description "PROTOCOL_SEVEN_CARRIER" is a lore reference and key derivation hint +- BACnet has no authentication — ReadProperty/WriteProperty work without credentials +- Two solve paths: manual fragment decode OR write the magic value and read the result + +--- ## Flag -`ESPILON{sch0m4nn_r3s0n4nc3_783}` -## Author -Eun0us +`ESPILON{sch0m4nn_r3s0n4nc3_783}`