#! /usr/bin/python import binascii import struct import sys, os, time import bluepy.btle as btle import itertools ''' 42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! 44 0x2C NOTIFY WRITE 46 0x2E READ WRITE write here to goto to scoreboard Flag: f401f21d02fdd0a4fc00 ''' notificationData = "" class MyDelegate(btle.DefaultDelegate): def __init__(self, hndl): btle.DefaultDelegate.__init__(self) self.hndl=hndl; def handleNotification(self, cHandle, data): global notificationData notificationData = data #print("d: "+data) deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) print ("Attached to peripheral") print("Loading level 04") hex1 = binascii.unhexlify(str('%0*x' % (4,4))) p.writeCharacteristic(0x30, hex1, withResponse=False) p.disconnect() ''' # of course not, this brute-force would make sense! charset = "01234565789ABCDEF" generator = itertools.chain.from_iterable((''.join(l) for l in itertools.product(charset, repeat=i)) for i in range(4,5)) ''' ''' # not this! print("Generating wordlist") charset = "01234565789ABCDEF" generator = itertools.chain.from_iterable((''.join(l) for l in itertools.product(charset, repeat=i)) for i in range(12,13)) ''' print("Generating wordlist") generator = list() charset = list("0123456789ABCDEF") origPass = list("AABBCCDDEEFF") for x in range(len(origPass)): newPass = list("AABBCCDDEEFF") for y in range(len(charset)): newPass = list("AABBCCDDEEFF") newPass[x] = charset[y] generator.append("".join(newPass)) for password in generator: hexlif2 = binascii.unhexlify(password) hexlif2 = str(hexlif2) deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) try: srvs = (p.getServices()); chs=srvs[2].getCharacteristics(); ch=chs[1]; cccd = ch.valHandle + 1 #print(str(ch)+str(ch.propertiesToString())); # print charchteristic's properties i.e. READ, WRITE, NOTIFY p.setDelegate(MyDelegate(ch.getHandle())); svc=p.getServiceByUUID(0x00FF) p.writeCharacteristic(cccd, b"\x01\x00"); sys.stdout.write("\rTrying: %s" % password.rstrip()) response = p.writeCharacteristic(0x2C, hexlif2) gotResponse = False while gotResponse == False: if p.waitForNotifications(1.0): rsp = notificationData hex = binascii.b2a_hex(rsp) hexstr = str(hex).strip("0").upper() #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): print(" Flag: %s" % notificationData.rstrip()) exit() else: gotResponse = True continue print "Waiting..." finally: p.disconnect()