2.1 KiB
Nurse Call
| Field | Value |
|---|---|
| Category | IoT |
| Difficulty | Easy |
| Points | 200 |
| Author | Eun0us |
| CTF | Espilon 2026 |
Description
You gain access to the maintenance terminal of the patient call system at Clinique Sainte-Mika. The system reports phantom calls coming from a sealed room.
The previous technician did not finish his investigation. His session was left open.
Explore the logs, understand the anomaly, and find what hides in Room 013.
- Terminal:
tcp/<host>:1337
Format: ESPILON{flag}
TL;DR
Connect to the maintenance terminal. Read the logs to find phantom calls from Room 013 with
payload 0x4c41494e. Decode the hex to ASCII to get LAIN. Run ./tools/reveil.sh --id LAIN
to wake the module and receive the flag.
Tools
| Tool | Purpose |
|---|---|
nc |
Terminal access |
| Hex-to-ASCII decoding | Convert 0x4c41494e |
Solution
Step 1 — Connect
nc <host> 1337
📸
[screenshot: maintenance terminal with open session from the previous technician]
Step 2 — Read the call log
cat logs/appels.log
The log shows repeated phantom calls from Room 013. The last line:
[ALERT] Room 013 — unknown payload: 0x4c41494e
📸
[screenshot: appels.log showing the phantom call with hex payload]
Step 3 — Decode the payload
bytes.fromhex("4c41494e").decode() # 'LAIN'
Or: 0x4C = L, 0x41 = A, 0x49 = I, 0x4E = N → LAIN
Step 4 — Confirm in the network log
cat logs/reseau.log
Contains: 0x4c41494e -> ASCII: "LAIN"
Step 5 — Read the maintenance log for the command syntax
cat logs/maintenance.log
The previous technician wrote: "Use reveil.sh --id with the payload ID."
Optionally:
cat config/navi-care.conf
Shows exact syntax: reveil.sh --id <MODULE_ID>
Step 6 — Wake the module
./tools/reveil.sh --id LAIN
📸
[screenshot: reveil.sh printing the flag after receiving the LAIN module ID]
Flag
ESPILON{r3v31ll3_m01_d4ns_l3_w1r3d}