Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b3553ba029
ESPILON-CTF-2026-Writeups/OT/Tachibana_SCADA/README.md

2.5 KiB
Raw Blame History

Tachibana SCADA -- Solution

Overview

OPC-UA server simulating Tachibana General Laboratories' SCADA system. The server allows anonymous connections (SecurityPolicy None) and contains a hidden namespace with Eiri Masami's backdoor methods.

Steps

1. Connect Anonymously

Connect to opc.tcp://HOST:4840/tachibana/ without credentials. The server accepts anonymous connections -- a common OT misconfiguration.

from asyncua import Client
client = Client("opc.tcp://HOST:4840/tachibana/")
await client.connect()

2. Discover Namespaces

Read the Server.NamespaceArray to discover all registered namespaces:

  • ns=0: OPC-UA standard
  • ns=1: Server internal
  • ns=2: urn:tachibana:scada (public SCADA data)
  • ns=3: urn:tachibana:eiri:kids (hidden!)
ns_array = await client.get_namespace_array()

3. Browse Public Namespace (ns=2)

Standard SCADA data: power distribution, cooling systems, Wired Interface Array. Note Resonance_Hz = 7.83 (Schumann resonance breadcrumb).

4. Browse Hidden Namespace (ns=3)

Navigate to EiriMasami folder:

  • KIDS_Project/ contains variables: SubjectCount=0, Protocol7_Version="7.0.0-alpha", Activation_Key="????????"
  • Backdoor/ contains two methods: Authenticate and ExtractResearchData

5. Analyze Method Signatures

Read the InputArguments property of each method:

  • Authenticate(username: String, key_hash: ByteString) -> session_token: String
  • ExtractResearchData(session_token: String, project_id: UInt32) -> data: String

The key_hash description says: "16-byte truncated SHA-256 of the project name"

6. Derive Credentials

  • username: eiri (from namespace URI urn:tachibana:eiri:kids)
  • key_hash: SHA256("KIDS")[:16] (KIDS = project name from the namespace)
import hashlib
key_hash = hashlib.sha256(b"KIDS").digest()[:16]

7. Authenticate

Call the Authenticate method with the derived credentials. Returns a hex session token valid for 5 minutes.

8. Extract Protocol Seven

Call ExtractResearchData with the session token and project_id=7 (from Protocol7_Version = "7.0.0-alpha" -- project number 7).

Returns the flag.

Key Insights

  • The namespace URI urn:tachibana:eiri:kids directly contains the username ("eiri") and hash source ("kids")
  • Protocol7_Version = "7.0.0-alpha" hints that project_id = 7
  • Anonymous OPC-UA access is a real-world ICS misconfiguration
  • Method argument descriptions provide hints about the expected input format

Flag

ESPILON{31r1_k1ds_pr0t0c0l_s3v3n}

Author

Eun0us