Eun0us/ESPILON-CTF-2026-Writeups

History

Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup - Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1, Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/ - Sync 24 solve/ files from main CTF-Espilon repo - Update all READMEs with real CTFd final scores at freeze - Add git-header.png banner - Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards, 1344 solves), correct freeze date March 26 2026	2026-03-27 21:27:45 +01:00
..
solve	[+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup	2026-03-27 21:27:45 +01:00
README.md	[+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup	2026-03-27 21:27:45 +01:00

Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup

- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026

2026-03-27 21:27:45 +01:00

solve

[+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup

2026-03-27 21:27:45 +01:00

README.md

[+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup

2026-03-27 21:27:45 +01:00

README.md

Serial Experimental 00

Field	Value
Category	Hardware
Difficulty	Easy
Points	50
Author	Eun0us
CTF	Espilon 2026

Description

You gained access to a split UART debug interface from a WIRED-MED prototype.

TX (read): tcp/<host>:1111
RX (write): tcp/<host>:2222

Investigate serial diagnostics, recover the maintenance token, then unlock the node.

Format: ESPILON{...}

TL;DR

Connect to the split UART interface. Query diag.uart, diag.eeprom, and diag.order on the RX port. Decode three fragments (one is plain hex, one is XOR-obfuscated, one is ASCII-encoded) and concatenate them to form the token LAIN-SERIAL-00. Submit with unlock LAIN-SERIAL-00 to receive the flag.

Tools

Tool	Purpose
`nc`	Connect to TX and RX ports
Python 3	XOR decoding of fragment B

Solution

Step 1 — Open both channels

# Terminal 1 — read output (TX)
nc <host> 1111

# Terminal 2 — send commands (RX)
nc <host> 2222

Step 2 — Query the diagnostic commands

In the RX terminal:

diag.uart
diag.eeprom
diag.order

Watch the TX terminal for responses.

Step 3 — Recover the fragments

Each diagnostic command returns a fragment:

Fragment A — from diag.uart:

frag_a_hex=4c41494e

Decode: bytes.fromhex("4c41494e").decode() → LAIN

Fragment B — from diag.eeprom:

frag_b_xor_hex=4056415a525f
xor_key=0x13

Decode:

data = bytes.fromhex("4056415a525f")
key = 0x13
result = bytes(b ^ key for b in data)
print(result.decode())  # SERIAL

Fragment C — from diag.order:

frag_c_hex=3030

Decode: bytes.fromhex("3030").decode() → 00

Step 4 — Build the maintenance token

Concatenate in the order specified by diag.order:

LAIN + "-" + SERIAL + "-" + 00 = LAIN-SERIAL-00

Step 5 — Unlock the node

In the RX terminal:

unlock LAIN-SERIAL-00

The flag is returned on the TX terminal.

Key concepts

Split UART: TX and RX are on separate TCP ports — mirrors real hardware where TX/RX lines are physically separated. You must open both simultaneously.
Hex encoding: Raw bytes presented as hex strings are common in serial diagnostic outputs.
XOR obfuscation: Fragment B uses a single-byte XOR key; knowing the key is trivial once you have the hint.

Flag

ESPILON{l41n_s3r14l_3xp_00}