Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
ESPILON-CTF-2026-Writeups/IoT/Nurse_Call/README.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

114 lines
2.3 KiB
Markdown
Raw Permalink Blame History

# Nurse Call
| Field | Value |
|-------|-------|
| Category | IoT |
| Difficulty | Easy |
| Points | 50 |
| Author | Eun0us |
| CTF | Espilon 2026 |
---
## Description
You gain access to the maintenance terminal of the patient call system at Clinique Sainte-Mika.
The system reports phantom calls coming from a sealed room.
The previous technician did not finish his investigation. His session was left open.
Explore the logs, understand the anomaly, and find what hides in Room 013.
- Terminal: `tcp/<host>:1337`
Format: **ESPILON{flag}**
---
## TL;DR
Connect to the maintenance terminal. Read the logs to find phantom calls from Room 013 with
payload `0x4c41494e`. Decode the hex to ASCII to get `LAIN`. Run `./tools/reveil.sh --id LAIN`
to wake the module and receive the flag.
---
## Tools
| Tool | Purpose |
|------|---------|
| `nc` | Terminal access |
| Hex-to-ASCII decoding | Convert `0x4c41494e` |
---
## Solution
### Step 1 — Connect
```bash
nc <host> 1337
```
![maintenance terminal with open session from the previous technician](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/nurse_maint.png)
### Step 2 — Read the call log
```bash
cat logs/appels.log
```
The log shows repeated phantom calls from Room 013. The last line:
```
[ALERT] Room 013 — unknown payload: 0x4c41494e
```
![appels.log showing the phantom call with hex payload](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/nurse_log.png)
### Step 3 — Decode the payload
```python
bytes.fromhex("4c41494e").decode() # 'LAIN'
```
Or: `0x4C = L`, `0x41 = A`, `0x49 = I`, `0x4E = N``LAIN`
### Step 4 — Confirm in the network log
```bash
cat logs/reseau.log
```
Contains: `0x4c41494e -> ASCII: "LAIN"`
### Step 5 — Read the maintenance log for the command syntax
```bash
cat logs/maintenance.log
```
The previous technician wrote: *"Use reveil.sh --id with the payload ID."*
Optionally:
```bash
cat config/navi-care.conf
```
Shows exact syntax: `reveil.sh --id <MODULE_ID>`
### Step 6 — Wake the module
```bash
./tools/reveil.sh --id LAIN
```
![reveil.sh printing the flag after receiving the LAIN module ID](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/nurse_flag.png)
---
## Flag
`ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}`
Reference in New Issue View Git Blame Copy Permalink