Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3a5f553a68
ESPILON-CTF-2026-Writeups/OT/Schumann_Resonance/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

2.4 KiB
Raw Blame History

Schumann Resonance -- Solution

Overview

Raw BACnet/IP server simulating an environmental monitoring station at Tachibana General Laboratories, Sub-basement 7. The device contains hidden flag fragments XOR-encoded in object descriptions. Writing the Schumann resonance frequency (7.83 Hz) to the tuning register reveals the flag.

Steps

1. Device Discovery

Send a BACnet WhoIs broadcast to UDP port 47808. The device responds with IAm: device instance 783 (reference to 7.83 Hz).

# Using BAC0:
import BAC0
bacnet = BAC0.lite(ip="YOUR_IP/24")
bacnet.whois()
# -> Device:783 "Tachibana-ENV-SB7"

2. Enumerate Objects

Read the object-list property from Device:783:

  • AnalogInput:0-3 -- normal environmental sensors (temp, humidity, pressure, CO2)
  • AnalogInput:4 -- EMF_Resonance = 7.83, description = "PROTOCOL_SEVEN_CARRIER"
  • AnalogValue:10 -- Freq_Multiplier = 0.0 (writable!)
  • AnalogValue:11-17 -- Fragment_0 through Fragment_6 (descriptions are hex strings)
  • BinaryValue:100 -- Resonance_Lock = inactive
  • CharStringValue:200 -- Research_Log = "Access Denied"

3. Identify Key

Device instance 783 → 7.83 Hz → Schumann Resonance. XOR key = 0x0783 (2-byte big-endian from device instance).

4. Decode Fragments

Each Fragment_N has a description containing a hex-encoded XOR'd string. XOR each byte with the alternating key bytes (0x07, 0x83):

key = (0x07, 0x83)
for frag in fragments:
    enc = bytes.fromhex(frag)
    dec = bytes(b ^ key[i % 2] for i, b in enumerate(enc))
    print(dec.decode())

Concatenate all decoded fragments → the flag.

5. Activate (Alternative Path)

Write 7.83 to AnalogValue:10 (Freq_Multiplier):

# WriteProperty: object=AnalogValue:10, property=presentValue, value=7.83

This sets BinaryValue:100 (Resonance_Lock) to active and writes the flag to CharStringValue:200 (Research_Log).

6. Read Flag

Read the presentValue of CharStringValue:200 (Research_Log).

Key Insights

  • Device instance 783 is the key derivation hint (7.83 Hz)
  • AnalogInput:4 description "PROTOCOL_SEVEN_CARRIER" confirms the Schumann connection
  • Freq_Multiplier description says "set to Schumann harmonic to activate"
  • Two solve paths: decode fragments manually OR activate and read Research_Log
  • No authentication on BACnet -- a real-world building automation vulnerability

Flag

ESPILON{sch0m4nn_r3s0n4nc3_783}

Author

Eun0us