在实习摸鱼的时候发现了这个:
https://github.com/hackgnar/ble_ctf
玩玩看看,首先得把环境弄好,你得有一块 ESP32 的板子,淘宝买就行了,笔记本自带的蓝牙适配器如果不行的话(后面会说怎么判断)也得自己买一个蓝牙适配器,我用的是 CSR4.0 这个,直接去淘宝搜就行
配置环境
首先得安装 esptool 用来烧录 esp32
代码语言:javascript复制sudo apt-get install esptool然后下面执行这一串命令把 BLECTF 烧到 esp32 中
出现 connecting 的时候按住板子上的 boot 按键,直到进行下一步,再松开
代码语言:javascript复制git clone https://github.com/hackgnar/ble_ctf
cd ble_ctf
esptool --chip esp32 --port /dev/ttyUSB0
--baud 115200 --before default_reset --after hard_reset write_flash
-z --flash_mode dio --flash_freq 40m --flash_size detect
0x1000 build/bootloader/bootloader.bin
0x10000 build/gatt_server_service_table_demo.bin
0x8000 build/partitions_singleapp.binkali 我用的官方的虚拟机(2022.1),可能报错:kali connect to bluez failed
先安装:apt-get install bluetooth
再重启:service bluetooth restart
查看蓝牙设备:hciconfig
激活:hciconfig hci0 up
查看蓝牙信息:sudo hciconfig hci0 lestates,如果返回:Read LE supported states on hci0 returned status 1 表示你的蓝牙适配器不支持 BLE,正常的应该是这样的
# hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)另外,出现上面的情况运行 rfkill unblock all 再 hciconfig hci0 up 即可解决
扫描周围低功耗设备:hcitool lescan会看到一个名为 BLECTF 的设备
接下来,根据 README 使用 gatttool 来从设备上的句柄 42 中读取分数,一共 20 关,目前是 0 分
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf 'n'介绍一下 gatttool 的用法参考:
https://blog.csdn.net/u010764600/article/details/119685484
代码语言:javascript复制GATT commands
--primary 发现GATT服务
--characteristics 发现设备上所有的characteristics
--char-read 读某个characteristics,需要指定一个handle(句柄)
--char-write 写某个characteristics,需要指定一个handle,使用Write Without Response的方式
--char-write-req 写某个characteristics,需要指定一个handle,使用Write Request的方式
--char-desc 发现所有的Characteristics Descriptor
--listen 监听Characteristics的notification或者indication
Primary Services/Characteristics arguments
-s, --start=0x0001 起始handle
-e, --end=0xffff 结束handle
-u, --uuid=0x1801 16比特或者128比特的UUID
Characteristics Value/Descriptor Read/Write arguments
-a, --handle=0x0001 通过handle来读写characteristic,后面接handle值
-n, --value=0x0001 写characteristic时候的参数,后面接具体的值
Application Options:
-i, --adapter=hciX 后面接设备描述, 如hci0等
-b, --device=MAC 远端设备的蓝牙地址
-t, --addr-type=[public | random] 远端设备蓝牙地址的类型,默认为public
-m, --mtu=MTU att协议的MTU大小
-p, --psm=PSM 制定gatt的PSM,默认值为0
-l, --sec-level=[low | medium | high] 安全等级,默认为low
-I, --interactive 交互式模式第一关 0x002c
Flag one is a gift! You can only obtain it by reading this document or peaking at the source code. In short, this flag is to get you familiar with doing a simple write to a BLE handle. Do the following to get your first flag. Make sure you replace the MAC address in the examples below with your devices mac address!
First, check out your score:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf 'n'
Next, lets sumbmit the following flag. gatttool -b de:ad:be:ef:be:f1 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
Finaly, check out your score again to see your flag got accepted:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf 'n'
送分题,教你怎么提交 flag 的,使用 --char-write-req 向句柄 44 提交 12345678901234567890 即可
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)再次查看分数已经是 1/20 了
第二关 0x002e
Check out the ascii value of handle 0x002e and submit it to the flag submision handle 0x002c. If you are using gatttool, make sure you convert it to hex with xxd. If you are using bleah, you can send it as a string value.
想让你查看 0x002e 句柄的 ASCII 码值,那就是用 --char-read 了
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x002e可以看到输出了一些十六进制的 ASCII,转成 ASCII 后即是 flag
第三关 0x0030
Check out the ascii value of handle 0x0030. Do what it tells you and submit the flag you find to 0x002c.
让我们检查 0x0030 这个句柄的值,看看想让我们做啥,查看后转为 ASCII 是 MD5 of Device Name,设备名称自然就是 BLECTF 了,取其 MD5 值的前 20 个字符
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0030
第四关 0x0016
Bluetooth GATT services provide some extra device attributes. Try finding the value of the Generic Access -> Device Name.
这个没明白啥意思,但是 README 里的标题是 0x0016 就读了
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0016
第五关 0x0032
Read handle 0032 and do what it says. Notice that its not telling you to write to the flag handle as you have been. When you find the flag, go ahead and write it to the flag handle you have used in the past flags
先读 0x0032 句柄的内容是 Write anything here,那就随便写点东西
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0032再次查看就是 flag 了,这里我傻了,一开始写了个 hello,结果查看没得分,没明白咋回事以为做错了,又去写 anything,然后才想起来写完之后再去看到的应该是 flag 了
第六关 0x0034
Follow the instructions found from reading handle 0x0034. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
查看 0x0034:Write the ascii value "yo" here,让我们写 yo 到 0x0034 去
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0034 -n $(echo -n "yo"|xxd -ps)
第七关 0x0036
Follow the instructions found from reading handle 0x0036. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
查看 0x0036 句柄,让我们写 0x07 到该句柄,直接 -n 后面跟着就行
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0036 -n 07
第八关 0x003
Follow the instructions found from reading handle 0x0038. Pay attention to handles here. Keep in mind handles can be refrenced by integer or hex. Most tools such as gatttool and bleah allow you to specify handles both ways.
查看句柄 0x0038 得到提示:Write 0xC9 to handle 58 他想告诉我们可以大多数工具的句柄可以用十进制或十六进制表示
代码语言:javascript复制gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 58 -n C9
