114 lines
2.1 KiB
Markdown
114 lines
2.1 KiB
Markdown
# Nurse Call
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Category | IoT |
|
|
| Difficulty | Easy |
|
|
| Points | 200 |
|
|
| Author | Eun0us |
|
|
| CTF | Espilon 2026 |
|
|
|
|
---
|
|
|
|
## Description
|
|
|
|
You gain access to the maintenance terminal of the patient call system at Clinique Sainte-Mika.
|
|
The system reports phantom calls coming from a sealed room.
|
|
|
|
The previous technician did not finish his investigation. His session was left open.
|
|
|
|
Explore the logs, understand the anomaly, and find what hides in Room 013.
|
|
|
|
- Terminal: `tcp/<host>:1337`
|
|
|
|
Format: **ESPILON{flag}**
|
|
|
|
---
|
|
|
|
## TL;DR
|
|
|
|
Connect to the maintenance terminal. Read the logs to find phantom calls from Room 013 with
|
|
payload `0x4c41494e`. Decode the hex to ASCII to get `LAIN`. Run `./tools/reveil.sh --id LAIN`
|
|
to wake the module and receive the flag.
|
|
|
|
---
|
|
|
|
## Tools
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| `nc` | Terminal access |
|
|
| Hex-to-ASCII decoding | Convert `0x4c41494e` |
|
|
|
|
---
|
|
|
|
## Solution
|
|
|
|
### Step 1 — Connect
|
|
|
|
```bash
|
|
nc <host> 1337
|
|
```
|
|
|
|
> 📸 `[screenshot: maintenance terminal with open session from the previous technician]`
|
|
|
|
### Step 2 — Read the call log
|
|
|
|
```bash
|
|
cat logs/appels.log
|
|
```
|
|
|
|
The log shows repeated phantom calls from Room 013. The last line:
|
|
|
|
```
|
|
[ALERT] Room 013 — unknown payload: 0x4c41494e
|
|
```
|
|
|
|
> 📸 `[screenshot: appels.log showing the phantom call with hex payload]`
|
|
|
|
### Step 3 — Decode the payload
|
|
|
|
```python
|
|
bytes.fromhex("4c41494e").decode() # 'LAIN'
|
|
```
|
|
|
|
Or: `0x4C = L`, `0x41 = A`, `0x49 = I`, `0x4E = N` → `LAIN`
|
|
|
|
### Step 4 — Confirm in the network log
|
|
|
|
```bash
|
|
cat logs/reseau.log
|
|
```
|
|
|
|
Contains: `0x4c41494e -> ASCII: "LAIN"`
|
|
|
|
### Step 5 — Read the maintenance log for the command syntax
|
|
|
|
```bash
|
|
cat logs/maintenance.log
|
|
```
|
|
|
|
The previous technician wrote: *"Use reveil.sh --id with the payload ID."*
|
|
|
|
Optionally:
|
|
|
|
```bash
|
|
cat config/navi-care.conf
|
|
```
|
|
|
|
Shows exact syntax: `reveil.sh --id <MODULE_ID>`
|
|
|
|
### Step 6 — Wake the module
|
|
|
|
```bash
|
|
./tools/reveil.sh --id LAIN
|
|
```
|
|
|
|
> 📸 `[screenshot: reveil.sh printing the flag after receiving the LAIN module ID]`
|
|
|
|
---
|
|
|
|
## Flag
|
|
|
|
`ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}`
|