Writeup: Schumann Resonance - EspilonCTF (OT)

Overview

A BACnet/IP building management system at Tachibana General Laboratories has a decommissioned device in Sub-basement 7 still broadcasting. The goal is to enumerate the device, read all properties, and use the Schumann resonance frequency to unlock the flag.

Solution

Step 1: Device Discovery

Sent a BACnet WhoIs request to the target. The device responded with an IAm indicating:

• Device Instance: 783
• Object Name: Tachibana-ENV-SB7
• Description: Schumann Monitoring Station -- Sub-basement 7
• Model Name: WIRED-ENV-7.83

Step 2: Object Enumeration

Read the object-list property from Device 783 and found 16 objects:

Step 3: Key Observations

1. AI 4 (EMF_Resonance) has present-value 7.83 -- the fundamental Schumann resonance frequency (7.83 Hz).
2. AV 10 (Freq_Multiplier) description says: "set to Schumann harmonic to activate".
3. CSV 200 (Research_Log) is locked: "Access Denied -- frequency lock required".
4. BV 100 (Resonance_Lock) is inactive (0).

Step 4: Write the Resonance Frequency

Sent a BACnet WriteProperty request to set AV 10 (Freq_Multiplier) present-value to 7.83 (IEEE 754 float).

WriteProperty: AV 10, present-value = 7.83
Response: Simple ACK (success)

Step 5: Read the Unlocked Flag

After writing 7.83:

• BV 100 (Resonance_Lock) changed to 1 (active)
• CSV 200 (Research_Log) now returns the flag

Flag

ESPILON{sch0m4nn_r3s0n4nc3_783}

Tools Used

• Python 3 with raw UDP sockets
• Manual BACnet/IP packet construction (BVLC, NPDU, APDU)
• BACnet services: WhoIs, ReadProperty, WriteProperty

Key Takeaways

• BACnet/IP is a UDP-based building automation protocol commonly found in ICS/SCADA environments
• The Schumann resonance is the set of electromagnetic frequencies in the Earth's cavity, with the fundamental at ~7.83 Hz
• The challenge required both reading (enumeration) and writing (exploitation) BACnet properties to unlock the flag