Ross Marks

Fork: 0

0xRoM / BLE_CTF_V2

Browse code completed level 09 master
1 parent 2bffce8 commit 3d2683840cf7dde8abaf5666573c4ded6c15e6f8 root authored on 13 Mar 2022

Patch

Unified Split

Showing 4 changed files

Ignore Space Show notes View lvl_08_incomplete.py 100644 → 100755
File mode changed

                Ignore Space
               Show notes
              View
            
          
          45 ■■■■■
          lvl_09.py
        
        
        
          0 → 100755
             #! /usr/bin/python
from __future__ import print_function   # import print from python3: end=""
import time   
import re
import subprocess
import pexpect    # sudo apt-get install python-pexpect
import random
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
  
'''
42  0x2A   READ         Im advertising the flag
 
MD5OFLOL
'''
deviceMAC = open('ctf_mac.txt').read()  
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 09")
hex1 = binascii.unhexlify(str('%0*x' % (4,9)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
p.disconnect()
 
print("Starting advertisement listner")
ps = subprocess.Popen(["btmon"], shell=False, stdout=subprocess.PIPE)
gp = subprocess.Popen(["grep", "Name"], shell=False, stdin=ps.stdout)
ps.stdout.close()
#output = gp.communicate()[0]
#ps.wait()
 
print("Please wait 5s...")
time.sleep(5)
 
print("Starting hcitool")
ps2 = subprocess.Popen(['hcitool', 'lescan'], shell=False) 
 
print("Please wait 5s...")
time.sleep(5)
ps2.terminate()
ps.terminate()
+#! /usr/bin/python
+from __future__ import print_function   # import print from python3: end=""
+import time
+import re
+import subprocess
+import pexpect    # sudo apt-get install python-pexpect
+import random
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+'''
+0x2A   READ         Im advertising the flag
+MD5OFLOL
+'''
+deviceMAC = open('ctf_mac.txt').read()
+p = btle.Peripheral(deviceMAC)
+svc=p.getServiceByUUID(0x00FF)
+print ("Attached to peripheral")
+print("Loading level 09")
+hex1 = binascii.unhexlify(str('%0*x' % (4,9)))
+p.writeCharacteristic(0x30, hex1, withResponse=False)
+p.disconnect()
+print("Starting advertisement listner")
+ps = subprocess.Popen(["btmon"], shell=False, stdout=subprocess.PIPE)
+gp = subprocess.Popen(["grep", "Name"], shell=False, stdin=ps.stdout)
+ps.stdout.close()
+#output = gp.communicate()[0]
+#ps.wait()
+print("Please wait 5s...")
+time.sleep(5)
+print("Starting hcitool")
+ps2 = subprocess.Popen(['hcitool', 'lescan'], shell=False)
+print("Please wait 5s...")
+time.sleep(5)
+ps2.terminate()
+ps.terminate()

                Show notes
              View
            
          
          11 ■■■■■
          lvl_09_incomplete.py
        
        
          100644 → 0
             #! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
  
'''
42  0x2A   READ         Im advertising the flag
 
'''
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-'''
-0x2A   READ         Im advertising the flag
-'''

                Ignore Space
               Show notes
              View
            
          
          44 ■■■■■
          solutions.txt
        
        
        
          100644 → 100755
 root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_01.py 
Attached to peripheral
Loading level 1
Reading value
Flag: eca7d1f3cf60a8b5344a
Flag: fc3fd58dcdad9ab23fac
 
root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_02.py 
Attached to peripheral
Loading level 02
[sp] Pairing successful
[bp] Attached to peripheral
[==] Flag: a16ee1a4001c66c3a670
 
root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_09.py 
Attached to peripheral
Loading level 09
Starting advertisement listner
Please wait 5s...
Starting hcitool
Please wait 5s...
LE Scan ...
3C:71:BF:F1:EF:C6 FLAG_09
3C:71:BF:F1:EF:C6 (unknown)
        Name (complete): FLAG_09
        Name (complete): MD5OFLOL
        Name (complete): ..
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e fc3fd58dcdad9ab23fac
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e b46fa238cf820d0f60c1
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e f401f21d02fdd0a4fc00
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e 84cf61c35b2d9c92217d
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e 1dec0e624f2ecf1513dc
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e aee4bd941f8b4d9e3921
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./enumerate.py 
- snip -
42  0x2A   READ         docs: https://github.com/hackgnar/ble_ctf_infinity
44  0x2C   READ         Flags complete: 9 /10
46  0x2E   READ WRITE   Submit flags here
48  0x30   READ WRITE   Write 0x0000 to 0x00FF to goto flag
50  0x32   READ WRITE   Write 0xC1EA12 to reset all flags
52  0x34   READ         Flag 0: Complete  
54  0x36   READ         Flag 1: Complete  
56  0x38   READ         Flag 2: Complete  
58  0x3A   READ         Flag 3: Complete  
60  0x3C   READ         Flag 4: Complete  
62  0x3E   READ         Flag 5: Complete  
64  0x40   READ         Flag 6: Complete  
66  0x42   READ         Flag 7: Complete  
68  0x44   READ         Flag 8: Incomplete
70  0x46   READ         Flag 9: Complete
 root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_01.py
 Attached to peripheral
 Loading level 1
 Reading value
+Flag: eca7d1f3cf60a8b5344a
+Flag: fc3fd58dcdad9ab23fac
 root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_02.py
 Attached to peripheral
 Loading level 02
 [sp] Pairing successful
 [bp] Attached to peripheral
 [==] Flag: a16ee1a4001c66c3a670
+root@PiBenchDash:/opt/BLE_CTF_V2# ./lvl_09.py
+Attached to peripheral
+Loading level 09
+Starting advertisement listner
+Please wait 5s...
+Starting hcitool
+Please wait 5s...
+LE Scan ...
+C:71:BF:F1:EF:C6 FLAG_09
+C:71:BF:F1:EF:C6 (unknown)
+        Name (complete): FLAG_09
+        Name (complete): MD5OFLOL
+        Name (complete): ..
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e fc3fd58dcdad9ab23fac
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e b46fa238cf820d0f60c1
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e f401f21d02fdd0a4fc00
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e 84cf61c35b2d9c92217d
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e 1dec0e624f2ecf1513dc
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e eca7d1f3cf60a8b5344a
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./send2handle.py 0x2e aee4bd941f8b4d9e3921
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./enumerate.py
+- snip -
+0x2A   READ         docs: https://github.com/hackgnar/ble_ctf_infinity
+0x2C   READ         Flags complete: 9 /10
+0x2E   READ WRITE   Submit flags here
+0x30   READ WRITE   Write 0x0000 to 0x00FF to goto flag
+0x32   READ WRITE   Write 0xC1EA12 to reset all flags
+0x34   READ         Flag 0: Complete
+0x36   READ         Flag 1: Complete
+0x38   READ         Flag 2: Complete
+0x3A   READ         Flag 3: Complete
+0x3C   READ         Flag 4: Complete
+0x3E   READ         Flag 5: Complete
+0x40   READ         Flag 6: Complete
+0x42   READ         Flag 7: Complete
+0x44   READ         Flag 8: Incomplete
+0x46   READ         Flag 9: Complete

Show line notes below