Writeup: Schumann Resonance - EspilonCTF (OT) Paid Members Public
Overview A BACnet/IP building management system at Tachibana General Laboratories has a decommissioned device in Sub-basement 7 still broadcasting. The goal is to enumerate the device, read all properties, and use the Schumann resonance frequency to unlock the flag. Solution Step 1: Device Discovery Sent a BACnet WhoIs request
Writeup: CAN Bus Implant - EspilonCTF (Hardware) Paid Members Public
Challenge Description The CAN bus of the Clinique Sainte-Mika connects medical equipment. You have access to a sniffing interface and an injection point. * Sniff (read-only): tcp://espilon.net:38795 * Inject (write): tcp://espilon.net:38796 Goal: Analyze the traffic, identify diagnostic patterns, and extract sensitive data. Step 1: Sniffing CAN
Writeup: Wired SPI Exfil - EspilonCTF (Hardware) Paid Members Public
Solution Step 1: Connect and Enumerate Connected to the SPI probe interface and issued help to list available commands: cs <0|1> Assert/deassert chip select tx <hex bytes> SPI transaction status Show interface status Step 2: Identify the Flash Chip Read the JEDEC ID using
Writeup: Signal Tap Lain - EspilonCTF (Hardware) Paid Members Public
Description A debug probe is capturing signals from Lain's NAVI. Three channels are being recorded, but what protocol is in use? Capture the data, identify the protocol, and decode the message. Solution Step 1: Capture the Signal Data Connected to the service using netcat: nc espilon.net 38751
Writeup: Glitch The Wired - EspilonCTF (Hardware) Paid Members Public
Challenge Info * Category: Hardware / Fault Injection * Service: tcp://espilon.net:38740 * Flag Format: ESPILON{...} * Description: A WIRED-MED secure boot module is exposed on the lab bench. You have access to the power rail and can inject voltage glitches. Find the right timing to bypass signature verification and access the debug
Writeup: Nurse Call - EspilonCTF (IOT) Paid Members Public
Description You gain access to the maintenance terminal of the patient call system at Clinique Sainte-Mika. The system reports phantom calls coming from a sealed room. The previous technician did not finish his investigation. His session was left open. Objective: Explore the logs, understand the anomaly, and find what hides
Writeup: JMP Custom Protocol - EspilonCTF (ESP) Paid Members Public
Challenge Description The CERT-CORP intercepted a strange firmware from an unknown router model built by the shady Jnouned Company. Analysts found it targets an ESP32-based prototype, but the system is protected by a locked UART console. Your mission: flash the firmware, break into the system, and unlock admin access. Category:
Writeup: Admin Panel - EspilonCTF (ESP) Paid Members Public
Challenge Description The CERT-CORP intercepted a strange firmware from an unknown router model built by the shady Jnouned Company. Analysts found it targets an ESP32-based prototype, but the system is protected by a locked UART console. Your mission: flash the firmware, break into the system, and unlock admin access. Category:
