Take a look at handle 0x003c and do what it says. You should script up a solution for this one. Also keep in mind that some tools write faster than others.
句柄 0x003c 显示:Brute force my value 00 to ff 让我们对它进行暴力破解,直接用 python 写个循环就行了
python 中有一个 zfill 方法用来给字符串前面补 0,n.zfill(2) 表示 n 要是不足两个字符的话就左边补零
import osimport timefor i in range(256): x = str(hex(i))[2:] x = x.zfill(2) payload = "gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x003c -n "+ xprint(payload) time.sleep(0.5) os.system(payload)
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Talke a look at handle 0x003e and do what it says. Keep in mind that some tools have better connection speeds than other for doing reads and writes. This has to do with the functionality the tool provides or how it uses cached BT connections on the host OS. Try testing different tools for this flag. Once you find the fastest one, whip up a script or bash 1 liner to complete the task. FYI, once running, this task takes roughly 90 seconds to complete if done right.
先看一下 0x003e 说啥:Read me 1000 times 读 1000 次?还是用 python 循环执行系统命令不就行了?
import osimport timefor i in range(1001): payload = "gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x003e" #print(payload) time.sleep(0.1) os.system(payload)
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out handle 0x0040 and google search gatt notify. Some tools like gatttool have the ability to subsribe to gatt notifications
0x0040 这个句柄给出的提示信息是:Listen to me for a single notification,用 gatttool 监听从蓝牙发送过来通知(notification)的数据,涉及到 GATT 的通知,客户端(kali)可以向服务端(esp32)请求通知一项特征值,当该特征可用时服务端会通知客户端,通知(notification)不需要客户端回应 ACK
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0040 -n 00 --listen
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out handle 0x0042 and google search gatt indicate. For single response indicate messages, like this chalange, tools such as gatttool will work just fine.
0x0042 句柄说:Listen to handle 0x0044 for a single indication,这个会从 ESP32 发送指示给我们,与上一个的区别在于这一个需要回应 ACK
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0044 -n 00 --listen
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out handle 0x0046 and do what it says. Keep in mind that this notification clallange requires you to recieve multiple responses in order to complete.
0x0046 说:Listen to me for multi notifications,这一个监听的时候会发送多个通知,等一下就能看到 flag
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0046 -n 00 --listen
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out handle 0x0042(源文件应该写错了,0x0048) and google search gatt indicate. Keep in mind that this chalange will require you to parse multiple indicate responses in order to complete the chalange.
0x0048 说:Listen to handle 0x004a for multi indications,跟十二关一样,就是等一会就出来了
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x004a -n 00 --listen
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out handle 0x004c and do what it says. Much like ethernet or wifi devices, you can also change your bluetooth devices mac address.
0x004c 这个句柄说:Connect with BT MAC address 11:22:33:44:55:66 希望我们用指定的 MAC 地址去连接,网上搜到可以使用 bdaddr 去修改 MAC 地址,如果 make 的时候报错了,缺少 bluetooth/bluetooth.h 去安装依赖:
sudo apt-get install libbluetooth-dev
但是我失败了 Orz,尽管这个工具说成功了,但并没有改掉,这个工具的 issue 也说 CSR 的设备有这个问题,暂时没有得到解决,另外 spooftooph 这个工具也不行,直接按照源码里的 flag 提交吧
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x002c -n $(echo -n "aca16920583e42bdcf5f"|xxd -ps)
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Read handle 0x0048(源文件应该写错了,0x004e)and do what it says. Setting MTU can be a tricky thing. Some tools may provide mtu flags, but they dont seem to really trigger MTU negotiations on servers. Try using gatttool's interactive mode for this task. By default, the BLECTF server is set to force an MTU size of 20. The server will listen for MTU negotiations, and look at them, but we dont really change the MTU in the code. We just trigger the flag code if you trigger an MTU event with the value specified in handle 0x0048. GLHF!
句柄 0x004e 说:Set your connection MTU to 444,使用 -m 参数 指定 MTU 大小为 444,但是不起效果,使用交互模式指定
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out handle 0x0050 and do what it says. This chalange differs from other write chalanges as your tool that does the write needs to have write response ack messages implemente correctly. This flag is also tricky as the flag will come back as notification response data even though there is no "NOTIFY" property.
句柄 0x0050 说:Write+resp 'hello'
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0050 -n $(echo -n "hello"|xxd -ps)
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Take a look at handle 0x0052. Notice it does not have a notify property. Do a write here and listen for notifications anyways! Things are not always what they seem!
0x0052 句柄说:No notifications here! really? 说是没有,实际还是可以监听得到
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0052 -n 00 --listen
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Check out all of the handle properties on 0x0054! Poke around with all of them and find pieces to your flag.
0x0054 给的提示是:So many properties!,随便写点东西,获得一部分 flag
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0054 -n 00
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
监听获得一部分 flag
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0054 -n 00 --listen
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
Figure out the authors twitter handle and do what 0x0056 tells you to do!
0x0056 说:md5 of author's twitter handle,作者的 twitter 在 README 就有
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x002c -n $(echo -n "d953bfb9846acc2e15ee"|xxd -ps)
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
完
![BLECTF:低功耗蓝牙CTF挑战(下)]( "BLECTF:低功耗蓝牙CTF挑战(下)")
原文始发于微信公众号(陈冠男的游戏人生):BLECTF:低功耗蓝牙CTF挑战(下)
评论