Newer
Older
BLE_CTF_V2 / solutions.txt
root on 13 Mar 3 KB tidying
root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_00.py 
Attached to peripheral
Sending "12345678901234567890" to 0x2e
Done

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_01.py 
Attached to peripheral
Loading level 1
Reading value
Flag: fc3fd58dcdad9ab23fac

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_02.py 
Attached to peripheral
Loading level 02
Password Found: password1234                                        
Flag: eca7d1f3cf60a8b5344a

/***
 * nano  /etc/systemd/system/dbus-org.bluez.service
 * set: ExecStart=/usr/lib/bluetooth/bluetoothd --compat
 */
root@PiBenchDash:/opt/BLE_CTF_V2# systemctl daemon-reload
root@PiBenchDash:/opt/BLE_CTF_V2# service bluetooth restart
root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_03.py 
Attached to peripheral
Loading level 03
Pairing
Attached to peripheral (pid 0)
Sending PIN: 0000
Flag: b46fa238cf820d0f60c1
Pairing successful

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_04.py 
Attached to peripheral
Loading level 04
Generating wordlist
Trying: AABBC8DDEEFF
Flag: f401f21d02fdd0a4fc00

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_05.py 
Attached to peripheral
Loading level 05
Sending "121212121222" to 0x2c
Reading value
Flag: 84cf61c35b2d9c92217d

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_06.py 
Attached to peripheral
Loading level 06
Manufacturer:   Cypress Semiconductor Corporation (305)
Device address: B8:27:EB:81:86:56 (Raspberry Pi Foundation)
New BD address: 11:22:33:44:55:66
Address changed - Reset device now
Reading value
Flag: 1dec0e624f2ecf1513dc

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_07.py 
[bp] Attached to peripheral
[++] Loading level 07
[sp] starting bluetoothctl
[sp] Timeout
[sp] Pairing successful
[bp] Attached to peripheral
[==] Flag: a16ee1a4001c66c3a670

root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_09.py 
Attached to peripheral
Loading level 09
Starting advertisement listner
Please wait 5s...
Starting hcitool
Please wait 5s...
LE Scan ...
3C:71:BF:F1:EF:C6 FLAG_09
3C:71:BF:F1:EF:C6 (unknown)
        Name (complete): FLAG_09
        Name (complete): MD5OFLOL
        Name (complete): ..

root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e fc3fd58dcdad9ab23fac
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e b46fa238cf820d0f60c1
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e f401f21d02fdd0a4fc00
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e 84cf61c35b2d9c92217d
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e 1dec0e624f2ecf1513dc
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
root@PiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e aee4bd941f8b4d9e3921

root@PiBenchDash:/opt/BLE_CTF_V2# ./enumerate.py 
- snip -
42  0x2A   READ         docs: https://github.com/hackgnar/ble_ctf_infinity
44  0x2C   READ         Flags complete: 9 /10
46  0x2E   READ WRITE   Submit flags here
48  0x30   READ WRITE   Write 0x0000 to 0x00FF to goto flag
50  0x32   READ WRITE   Write 0xC1EA12 to reset all flags
52  0x34   READ         Flag 0: Complete  
54  0x36   READ         Flag 1: Complete  
56  0x38   READ         Flag 2: Complete  
58  0x3A   READ         Flag 3: Complete  
60  0x3C   READ         Flag 4: Complete  
62  0x3E   READ         Flag 5: Complete  
64  0x40   READ         Flag 6: Complete  
66  0x42   READ         Flag 7: Complete  
68  0x44   READ         Flag 8: Incomplete
70  0x46   READ         Flag 9: Complete