Flag one is a gift! You can only obtain it by reading this document or peaking at the source code. In short, this flag is to get you familiar with doing a simple write to a BLE handle. Do the following to get your first flag. Make sure you replace the MAC address in the examples below with your devices mac address!
Check out the ascii value of handle 0x002e and submit it to the flag submision handle 0x002c. If you are using gatttool, make sure you convert it to hex with xxd. If you are using bleah, you can send it as a string value.
想让你查看 0x002e 句柄的 ASCII 码值，那就是用 --char-read 了
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x002e
可以看到输出了一些十六进制的 ASCII，转成 ASCII 后即是 flag
Check out the ascii value of handle 0x0030. Do what it tells you and submit the flag you find to 0x002c.
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0030
Bluetooth GATT services provide some extra device attributes. Try finding the value of the Generic Access -> Device Name.
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0016
Read handle 0032 and do what it says. Notice that its not telling you to write to the flag handle as you have been. When you find the flag, go ahead and write it to the flag handle you have used in the past flags.
先读 0x0032 句柄的内容是 Write anything here
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0032
Follow the instructions found from reading handle 0x0036. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
查看 0x0036 句柄，让我们写 0x07 到该句柄，直接 -n 后面跟着就行
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0036 -n 07
Follow the instructions found from reading handle 0x0038. Pay attention to handles here. Keep in mind handles can be refrenced by integer or hex. Most tools such as gatttool and bleah allow you to specify handles both ways.
查看句柄 0x0038 得到提示：Write 0xC9 to handle 58 他想告诉我们可以大多数工具的句柄可以用十进制或十六进制表示
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 58 -n C9
Take a look at handle 0x003c and do what it says. You should script up a solution for this one. Also keep in mind that some tools write faster than others.
句柄 0x003c 显示：Brute force my value 00 to ff 让我们对它进行暴力破解，直接用 python 写个循环就行了
python 中有一个 zfill 方法用来给字符串前面补 0，n.zfill(2) 表示 n 要是不足两个字符的话就左边补零
for i in range(256):
x = str(hex(i))[2:]
x = x.zfill(2)
payload = "gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x003c -n "+ x
Talke a look at handle 0x003e and do what it says. Keep in mind that some tools have better connection speeds than other for doing reads and writes. This has to do with the functionality the tool provides or how it uses cached BT connections on the host OS. Try testing different tools for this flag. Once you find the fastest one, whip up a script or bash 1 liner to complete the task. FYI, once running, this task takes roughly 90 seconds to complete if done right.
先看一下 0x003e 说啥：Read me 1000 times 读 1000 次？还是用 python 循环执行系统命令不就行了？
for i in range(1001):
payload = "gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x003e"
Check out handle 0x0040 and google search gatt notify. Some tools like gatttool have the ability to subsribe to gatt notifications
0x0040 这个句柄给出的提示信息是：Listen to me for a single notification，用 gatttool 监听从蓝牙发送过来通知（notification）的数据
Read handle 0x0048（源文件应该写错了，0x004e）and do what it says. Setting MTU can be a tricky thing. Some tools may provide mtu flags, but they dont seem to really trigger MTU negotiations on servers. Try using gatttool's interactive mode for this task. By default, the BLECTF server is set to force an MTU size of 20. The server will listen for MTU negotiations, and look at them, but we dont really change the MTU in the code. We just trigger the flag code if you trigger an MTU event with the value specified in handle 0x0048. GLHF!
Check out handle 0x0050 and do what it says. This chalange differs from other write chalanges as your tool that does the write needs to have write response ack messages implemente correctly. This flag is also tricky as the flag will come back as notification response data even though there is no "NOTIFY" property.