ESPILON-CTF-2026-Writeups/IoT/Anesthesia_Gateway/solve/solve.md

# Anesthesia Gateway -- Solution

## Overview
MQTT broker simulating an anesthesia monitoring gateway. A debug topic leaks
an encoded firmware blob. Reverse the encoding to extract a maintenance key
and publish it to unlock the flag.

## Steps

### 1. Connect and discover topics
```bash
mosquitto_sub -h HOST -t "sainte-mika/#" -v
```

Topics discovered:
- `sainte-mika/or13/vitals` -- patient vital signs (JSON)
- `sainte-mika/or13/sevoflurane` -- anesthetic gas data
- `sainte-mika/or13/propofol` -- infusion pump data
- `sainte-mika/or13/ventilator` -- mechanical ventilator data
- `sainte-mika/or13/alarms` -- alarm status (note: `"network": "WIRED-MED"`)
- `sainte-mika/or13/debug/firmware` -- **base64-encoded blob (every 45s)**

### 2. Capture firmware blob
Grab the base64 string from `debug/firmware`.

### 3. Decode the blob
The encoding chain is: JSON -> zlib -> XOR("WIRED") -> base64

To reverse:
```python
import base64, zlib

blob = "<base64 string from MQTT>"
raw = base64.b64decode(blob)

# XOR with key "WIRED" (hint: WIRED-MED appears in alarm data)
key = b"WIRED"
xored = bytes(b ^ key[i % len(key)] for i, b in enumerate(raw))

# After XOR, bytes start with 78 9C (zlib magic)
config = zlib.decompress(xored)
print(config.decode())
```

### 4. Extract maintenance key
The decoded JSON contains:
```json
{
    "maintenance_key": "N4V1-C4R3-0R13-L41N"
}
```

### 5. Publish key and get flag
```bash
mosquitto_pub -h HOST -t "sainte-mika/or13/maintenance/unlock" -m "N4V1-C4R3-0R13-L41N"
```

Subscribe to the flag topic:
```bash
mosquitto_sub -h HOST -t "sainte-mika/or13/maintenance/flag"
```

### Key insights
- The XOR key "WIRED" is discoverable from the alarm topic which includes `"network": "WIRED-MED"`
- After XOR decryption, the zlib magic bytes `78 9C` confirm the correct key
- The maintenance key "N4V1-C4R3-0R13-L41N" = "Navi Care OR13 Lain" in leetspeak

## Flag
`ESPILON{mQtt_g4tw4y_4n3sth3s14}`

## Author
Eun0us