首页
社区
课程
招聘
[原创]BLECTF低功耗蓝牙CTF挑战
发表于: 2022-2-18 22:26 34924

[原创]BLECTF低功耗蓝牙CTF挑战

2022-2-18 22:26
34924

在搜东西的时候发现了这个:ble_ctf · github,拿来做做玩玩呀

首先得把环境弄好,你得有一块 ESP32 的板子,淘宝买就行了,笔记本自带的蓝牙适配器如果不行的话(后面会说怎么判断)也得自己买一个蓝牙适配器,我用的是 CSR4.0 这个,直接去淘宝搜就行

出现 connecting 的时候按住板子上的 boot 按键,直到进行下一步,再松开


kali 我用的官方的虚拟机(2022.1),可能报错: kali connect to bluez failed

先安装:apt-get install bluetooth

再重启:service bluetooth restart

查看蓝牙设备:hciconfig

激活:hciconfig hci0 up

查看蓝牙信息:sudo hciconfig hci0 lestates,如果返回:Read LE supported states on hci0 returned status 1 表示你的蓝牙适配器不支持 BLE,正常的应该是这样的

另外补充一些情况:

运行 rfkill unblock allhciconfig hci0 up 即可解决


扫描周围低功耗设备:hcitool lescan会看到一个名为 BLECTF 的设备

接下来,根据 README 使用 gatttool 来从设备上的句柄 42 中读取分数,一共 20 关,目前是 0 分

介绍一下 gatttool 的用法参考:https://blog.csdn.net/u010764600/article/details/119685484

Flag one is a gift! You can only obtain it by reading this document or peaking at the source code. In short, this flag is to get you familiar with doing a simple write to a BLE handle. Do the following to get your first flag. Make sure you replace the MAC address in the examples below with your devices mac address!


First, check out your score:

gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'


Next, lets sumbmit the following flag. gatttool -b de:ad:be:ef:be:f1 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)


Finaly, check out your score again to see your flag got accepted:

gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'

送分题,教你怎么提交 flag 的,使用 --char-write-req 向句柄 44 提交 12345678901234567890 即可

再次查看分数已经是 1/20 了

Check out the ascii value of handle 0x002e and submit it to the flag submision handle 0x002c. If you are using gatttool, make sure you convert it to hex with xxd. If you are using bleah, you can send it as a string value.

想让你查看 0x002e 句柄的 ASCII 码值,那就是用 --char-read 了

可以看到输出了一些十六进制的 ASCII,转成 ASCII 后即是 flag

Check out the ascii value of handle 0x0030. Do what it tells you and submit the flag you find to 0x002c.

让我们检查 0x0030 这个句柄的值,看看想让我们做啥,查看后转为 ASCII 是 MD5 of Device Name,设备名称自然就是 BLECTF 了,取其 MD5 值前的 20 个字符

Bluetooth GATT services provide some extra device attributes. Try finding the value of the Generic Access -> Device Name.

这个没明白啥意思

Read handle 0032 and do what it says. Notice that its not telling you to write to the flag handle as you have been. When you find the flag, go ahead and write it to the flag handle you have used in the past flags.

先读 0x0032 句柄的内容是 Write anything here

那就随便写点东西

再次查看就是 flag 了,这里我傻了,一开始写了个 hello,结果查看没得分,没明白咋回事以为做错了,又去写 anything,然后才想起来写完之后再去看到的应该是 flag 了

Follow the instructions found from reading handle 0x0034. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii

查看 0x0034:Write the ascii value "yo" here

让写 yo 到 0x0034 去

Follow the instructions found from reading handle 0x0036. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii

查看 0x0036 句柄,让我们写 0x07 到该句柄,直接 -n 后面跟着就行

Follow the instructions found from reading handle 0x0038. Pay attention to handles here. Keep in mind handles can be refrenced by integer or hex. Most tools such as gatttool and bleah allow you to specify handles both ways.

查看句柄 0x0038 得到提示:Write 0xC9 to handle 58 他想告诉我们可以大多数工具的句柄可以用十进制或十六进制表示

Take a look at handle 0x003c and do what it says. You should script up a solution for this one. Also keep in mind that some tools write faster than others.

句柄 0x003c 显示:Brute force my value 00 to ff 让我们对它进行暴力破解,直接用 python 写个循环就行了

python 中有一个 zfill 方法用来给字符串前面补 0,n.zfill(2) 表示 n 要是不足两个字符的话就左边补零

Talke a look at handle 0x003e and do what it says. Keep in mind that some tools have better connection speeds than other for doing reads and writes. This has to do with the functionality the tool provides or how it uses cached BT connections on the host OS. Try testing different tools for this flag. Once you find the fastest one, whip up a script or bash 1 liner to complete the task. FYI, once running, this task takes roughly 90 seconds to complete if done right.

先看一下 0x003e 说啥:Read me 1000 times 读 1000 次?还是用 python 循环执行系统命令不就行了?

Check out handle 0x0040 and google search gatt notify. Some tools like gatttool have the ability to subsribe to gatt notifications

0x0040 这个句柄给出的提示信息是:Listen to me for a single notification,用 gatttool 监听从蓝牙发送过来通知(notification)的数据

这个需要在 characteristic 的 client config 配置为 Enable Notification/Indication 的时候才行,向某个Characteristic 写数据,他会把数据从另外一个 Characteristic 再原样发回

涉及到 GATT 的通知,客户端(kali)可以向服务端(esp32)请求通知一项特征值,当该特征可用时服务端会通知客户端,通知(notification)不需要客户端回应 ACK

Check out handle 0x0042 and google search gatt indicate. For single response indicate messages, like this chalange, tools such as gatttool will work just fine.

0x0042 句柄说:Listen to handle 0x0044 for a single indication

这个会从 ESP32 发送指示给我们,与上一个的区别在于这一个需要回应 ACK

Check out handle 0x0046 and do what it says. Keep in mind that this notification clallange requires you to recieve multiple responses in order to complete.

0x0046 说:Listen to me for multi notifications

这一个监听的时候会发送多个通知,等一下就能看到 flag

Check out handle 0x0042(源文件应该写错了,0x0048) and google search gatt indicate. Keep in mind that this chalange will require you to parse multiple indicate responses in order to complete the chalange.

0x0048 说:Listen to handle 0x004a for multi indications

跟十二关一样,就是等一会就出来了

另外,出了些问题,出租房突然断电了,然后这个不知道为啥就是连接不上了,有时候是这样 Device or resource busy (16),有时候是这样 connection refused (111) 还有时候是 Function not implemented (38) 重新烧录也不行,但是我用 bettercap 连接之后再尝试就又行了,有时候连接之后也不行,又是啥玄学问题?后来觉得可能是适配器问题,反正挨个重新试试就解决了


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-2-19 08:27 被yichen115编辑 ,原因: 更新图片
收藏
免费 7
支持
分享
最新回复 (3)
雪    币: 15191
活跃值: (16857)
能力值: (RANK:730 )
在线值:
发帖
回帖
粉丝
2
强啊~
2022-2-22 14:33
0
雪    币: 21
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
3
补充题主一个问题,就是如果电脑不支持低功耗蓝牙的话,可以选择使用树莓派,树莓派自带的蓝牙适配器支持。
2022-3-30 11:27
2
雪    币: 853
活跃值: (1417)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
4
太强了
2022-5-20 20:51
0
游客
登录 | 注册 方可回帖
返回
//