1.9 KiB
1.9 KiB
Anesthesia Gateway -- Solution
Overview
MQTT broker simulating an anesthesia monitoring gateway. A debug topic leaks an encoded firmware blob. Reverse the encoding to extract a maintenance key and publish it to unlock the flag.
Steps
1. Connect and discover topics
mosquitto_sub -h HOST -t "sainte-mika/#" -v
Topics discovered:
sainte-mika/or13/vitals-- patient vital signs (JSON)sainte-mika/or13/sevoflurane-- anesthetic gas datasainte-mika/or13/propofol-- infusion pump datasainte-mika/or13/ventilator-- mechanical ventilator datasainte-mika/or13/alarms-- alarm status (note:"network": "WIRED-MED")sainte-mika/or13/debug/firmware-- base64-encoded blob (every 45s)
2. Capture firmware blob
Grab the base64 string from debug/firmware.
3. Decode the blob
The encoding chain is: JSON -> zlib -> XOR("WIRED") -> base64
To reverse:
import base64, zlib
blob = "<base64 string from MQTT>"
raw = base64.b64decode(blob)
# XOR with key "WIRED" (hint: WIRED-MED appears in alarm data)
key = b"WIRED"
xored = bytes(b ^ key[i % len(key)] for i, b in enumerate(raw))
# After XOR, bytes start with 78 9C (zlib magic)
config = zlib.decompress(xored)
print(config.decode())
4. Extract maintenance key
The decoded JSON contains:
{
"maintenance_key": "N4V1-C4R3-0R13-L41N"
}
5. Publish key and get flag
mosquitto_pub -h HOST -t "sainte-mika/or13/maintenance/unlock" -m "N4V1-C4R3-0R13-L41N"
Subscribe to the flag topic:
mosquitto_sub -h HOST -t "sainte-mika/or13/maintenance/flag"
Key insights
- The XOR key "WIRED" is discoverable from the alarm topic which includes
"network": "WIRED-MED" - After XOR decryption, the zlib magic bytes
78 9Cconfirm the correct key - The maintenance key "N4V1-C4R3-0R13-L41N" = "Navi Care OR13 Lain" in leetspeak
Flag
ESPILON{mQtt_g4tw4y_4n3sth3s14}
Author
Eun0us