# Nurse Call

| Field | Value |
|-------|-------|
| Category | IoT |
| Difficulty | Easy |
| Points | 200 |
| Author | Eun0us |
| CTF | Espilon 2026 |

---

## Description

You gain access to the maintenance terminal of the patient call system at Clinique Sainte-Mika.
The system reports phantom calls coming from a sealed room.

The previous technician did not finish his investigation. His session was left open.

Explore the logs, understand the anomaly, and find what hides in Room 013.

- Terminal: `tcp/<host>:1337`

Format: **ESPILON{flag}**

---

## TL;DR

Connect to the maintenance terminal. Read the logs to find phantom calls from Room 013 with
payload `0x4c41494e`. Decode the hex to ASCII to get `LAIN`. Run `./tools/reveil.sh --id LAIN`
to wake the module and receive the flag.

---

## Tools

| Tool | Purpose |
|------|---------|
| `nc` | Terminal access |
| Hex-to-ASCII decoding | Convert `0x4c41494e` |

---

## Solution

### Step 1 — Connect

```bash
nc <host> 1337
```

![maintenance terminal with open session from the previous technician](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/nurse_maint.png)

### Step 2 — Read the call log

```bash
cat logs/appels.log
```

The log shows repeated phantom calls from Room 013. The last line:

```
[ALERT] Room 013 — unknown payload: 0x4c41494e
```

![appels.log showing the phantom call with hex payload](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/nurse_log.png)

### Step 3 — Decode the payload

```python
bytes.fromhex("4c41494e").decode()  # 'LAIN'
```

Or: `0x4C = L`, `0x41 = A`, `0x49 = I`, `0x4E = N` → `LAIN`

### Step 4 — Confirm in the network log

```bash
cat logs/reseau.log
```

Contains: `0x4c41494e -> ASCII: "LAIN"`

### Step 5 — Read the maintenance log for the command syntax

```bash
cat logs/maintenance.log
```

The previous technician wrote: *"Use reveil.sh --id with the payload ID."*

Optionally:

```bash
cat config/navi-care.conf
```

Shows exact syntax: `reveil.sh --id <MODULE_ID>`

### Step 6 — Wake the module

```bash
./tools/reveil.sh --id LAIN
```

![reveil.sh printing the flag after receiving the LAIN module ID](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/nurse_flag.png)

---

## Flag

`ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}`