Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
db4eec3cd6
ESPILON-CTF-2026-Writeups/OT/Schumann_Resonance
History
Eun0us b3553ba029 ESPILON CTF 2026 — Write-ups édition 1 (33 challenges)
2026-03-22 19:18:58 +01:00
..
README.md ESPILON CTF 2026 — Write-ups édition 1 (33 challenges) 2026-03-22 19:18:58 +01:00

README.md

Schumann Resonance -- Solution

Overview

Raw BACnet/IP server simulating an environmental monitoring station at Tachibana General Laboratories, Sub-basement 7. The device contains hidden flag fragments XOR-encoded in object descriptions. Writing the Schumann resonance frequency (7.83 Hz) to the tuning register reveals the flag.

Steps

1. Device Discovery

Send a BACnet WhoIs broadcast to UDP port 47808. The device responds with IAm: device instance 783 (reference to 7.83 Hz).

# Using BAC0:
import BAC0
bacnet = BAC0.lite(ip="YOUR_IP/24")
bacnet.whois()
# -> Device:783 "Tachibana-ENV-SB7"

2. Enumerate Objects

Read the object-list property from Device:783:

  • AnalogInput:0-3 -- normal environmental sensors (temp, humidity, pressure, CO2)
  • AnalogInput:4 -- EMF_Resonance = 7.83, description = "PROTOCOL_SEVEN_CARRIER"
  • AnalogValue:10 -- Freq_Multiplier = 0.0 (writable!)
  • AnalogValue:11-17 -- Fragment_0 through Fragment_6 (descriptions are hex strings)
  • BinaryValue:100 -- Resonance_Lock = inactive
  • CharStringValue:200 -- Research_Log = "Access Denied"

3. Identify Key

Device instance 783 → 7.83 Hz → Schumann Resonance. XOR key = 0x0783 (2-byte big-endian from device instance).

4. Decode Fragments

Each Fragment_N has a description containing a hex-encoded XOR'd string. XOR each byte with the alternating key bytes (0x07, 0x83):

key = (0x07, 0x83)
for frag in fragments:
    enc = bytes.fromhex(frag)
    dec = bytes(b ^ key[i % 2] for i, b in enumerate(enc))
    print(dec.decode())

Concatenate all decoded fragments → the flag.

5. Activate (Alternative Path)

Write 7.83 to AnalogValue:10 (Freq_Multiplier):

# WriteProperty: object=AnalogValue:10, property=presentValue, value=7.83

This sets BinaryValue:100 (Resonance_Lock) to active and writes the flag to CharStringValue:200 (Research_Log).

6. Read Flag

Read the presentValue of CharStringValue:200 (Research_Log).

Key Insights

  • Device instance 783 is the key derivation hint (7.83 Hz)
  • AnalogInput:4 description "PROTOCOL_SEVEN_CARRIER" confirms the Schumann connection
  • Freq_Multiplier description says "set to Schumann harmonic to activate"
  • Two solve paths: decode fragments manually OR activate and read Research_Log
  • No authentication on BACnet -- a real-world building automation vulnerability

Flag

ESPILON{sch0m4nn_r3s0n4nc3_783}

Author

Eun0us