Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
ESPILON-CTF-2026-Writeups/OT/Schumann_Resonance/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

75 lines
2.4 KiB
Markdown
Raw Permalink Blame History

# Schumann Resonance -- Solution
## Overview
Raw BACnet/IP server simulating an environmental monitoring station at
Tachibana General Laboratories, Sub-basement 7. The device contains hidden
flag fragments XOR-encoded in object descriptions. Writing the Schumann
resonance frequency (7.83 Hz) to the tuning register reveals the flag.
## Steps
### 1. Device Discovery
Send a BACnet WhoIs broadcast to UDP port 47808. The device responds
with IAm: device instance **783** (reference to 7.83 Hz).
```python
# Using BAC0:
import BAC0
bacnet = BAC0.lite(ip="YOUR_IP/24")
bacnet.whois()
# -> Device:783 "Tachibana-ENV-SB7"
```
### 2. Enumerate Objects
Read the object-list property from Device:783:
- AnalogInput:0-3 -- normal environmental sensors (temp, humidity, pressure, CO2)
- **AnalogInput:4** -- EMF_Resonance = 7.83, description = **"PROTOCOL_SEVEN_CARRIER"**
- AnalogValue:10 -- Freq_Multiplier = 0.0 (writable!)
- AnalogValue:11-17 -- Fragment_0 through Fragment_6 (descriptions are hex strings)
- BinaryValue:100 -- Resonance_Lock = inactive
- CharStringValue:200 -- Research_Log = "Access Denied"
### 3. Identify Key
Device instance 783 → 7.83 Hz → Schumann Resonance.
XOR key = `0x0783` (2-byte big-endian from device instance).
### 4. Decode Fragments
Each Fragment_N has a description containing a hex-encoded XOR'd string.
XOR each byte with the alternating key bytes (0x07, 0x83):
```python
key = (0x07, 0x83)
for frag in fragments:
enc = bytes.fromhex(frag)
dec = bytes(b ^ key[i % 2] for i, b in enumerate(enc))
print(dec.decode())
```
Concatenate all decoded fragments → the flag.
### 5. Activate (Alternative Path)
Write `7.83` to AnalogValue:10 (Freq_Multiplier):
```python
# WriteProperty: object=AnalogValue:10, property=presentValue, value=7.83
```
This sets BinaryValue:100 (Resonance_Lock) to active and writes the
flag to CharStringValue:200 (Research_Log).
### 6. Read Flag
Read the presentValue of CharStringValue:200 (Research_Log).
## Key Insights
- Device instance 783 is the key derivation hint (7.83 Hz)
- AnalogInput:4 description "PROTOCOL_SEVEN_CARRIER" confirms the Schumann connection
- Freq_Multiplier description says "set to Schumann harmonic to activate"
- Two solve paths: decode fragments manually OR activate and read Research_Log
- No authentication on BACnet -- a real-world building automation vulnerability
## Flag
`ESPILON{sch0m4nn_r3s0n4nc3_783}`
## Author
Eun0us
Reference in New Issue View Git Blame Copy Permalink