在實習摸魚的時候發現了這個:
https://github.com/hackgnar/ble_ctf
玩玩看看,首先得把環境弄好,你得有一塊 ESP32 的闆子,淘寶買就行了,筆記本自帶的藍牙擴充卡如果不行的話(後面會說怎麼判斷)也得自己買一個藍牙擴充卡,我用的是 CSR4.0 這個,直接去淘寶搜就行
配置環境
首先得安裝 esptool 用來燒錄 esp32
sudo apt-get install esptool
複制
然後下面執行這一串指令把 BLECTF 燒到 esp32 中
出現 connecting 的時候按住闆子上的 boot 按鍵,直到進行下一步,再松開
git clone https://github.com/hackgnar/ble_ctf
cd ble_ctf
esptool --chip esp32 --port /dev/ttyUSB0 \
--baud 115200 --before default_reset --after hard_reset write_flash \
-z --flash_mode dio --flash_freq 40m --flash_size detect \
0x1000 build/bootloader/bootloader.bin \
0x10000 build/gatt_server_service_table_demo.bin \
0x8000 build/partitions_singleapp.bin
複制
kali 我用的官方的虛拟機(2022.1),可能報錯:kali connect to bluez failed
先安裝:
apt-get install bluetooth
再重新開機:
service bluetooth restart
檢視藍牙裝置:
hciconfig
激活:
hciconfig hci0 up
檢視藍牙資訊:
sudo hciconfig hci0 lestates
,如果傳回:
Read LE supported states on hci0 returned status 1
表示你的藍牙擴充卡不支援 BLE,正常的應該是這樣的
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLiAjM2EzLcd3LcJzLcJzdllmVldWYtl2Pn5GcuIWNhRWO3UjZyYTM5I2N2QDOhZGO2QWZwMzM3Y2M2kjZvw1MwgDO1gjNtUGall3LcVmdhNXLwRHdo9CXt92YucWbpRWdvx2Yx5yazF2Lc9CX6MHc0RHaiojIsJye.png)
# hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)
複制
另外,出現上面的情況運作
rfkill unblock all
再
hciconfig hci0 up
即可解決
掃描周圍低功耗裝置:
hcitool lescan
會看到一個名為 BLECTF 的裝置
接下來,根據 README 使用 gatttool 來從裝置上的句柄 42 中讀取分數,一共 20 關,目前是 0 分
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
複制
介紹一下 gatttool 的用法參考:
https://blog.csdn.net/u010764600/article/details/119685484
GATT commands
--primary 發現GATT服務
--characteristics 發現裝置上所有的characteristics
--char-read 讀某個characteristics,需要指定一個handle(句柄)
--char-write 寫某個characteristics,需要指定一個handle,使用Write Without Response的方式
--char-write-req 寫某個characteristics,需要指定一個handle,使用Write Request的方式
--char-desc 發現所有的Characteristics Descriptor
--listen 監聽Characteristics的notification或者indication
Primary Services/Characteristics arguments
-s, --start=0x0001 起始handle
-e, --end=0xffff 結束handle
-u, --uuid=0x1801 16比特或者128比特的UUID
Characteristics Value/Descriptor Read/Write arguments
-a, --handle=0x0001 通過handle來讀寫characteristic,後面接handle值
-n, --value=0x0001 寫characteristic時候的參數,後面接具體的值
Application Options:
-i, --adapter=hciX 後面接裝置描述, 如hci0等
-b, --device=MAC 遠端裝置的藍牙位址
-t, --addr-type=[public | random] 遠端裝置藍牙位址的類型,預設為public
-m, --mtu=MTU att協定的MTU大小
-p, --psm=PSM 制定gatt的PSM,預設值為0
-l, --sec-level=[low | medium | high] 安全等級,預設為low
-I, --interactive 互動式模式
複制
第一關 0x002c
Flag one is a gift! You can only obtain it by reading this document or peaking at the source code. In short, this flag is to get you familiar with doing a simple write to a BLE handle. Do the following to get your first flag. Make sure you replace the MAC address in the examples below with your devices mac address!
First, check out your score:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
Next, lets sumbmit the following flag. gatttool -b de:ad:be:ef:be:f1 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
Finaly, check out your score again to see your flag got accepted:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
送分題,教你怎麼送出 flag 的,使用 --char-write-req 向句柄 44 送出 12345678901234567890 即可
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
複制
再次檢視分數已經是 1/20 了
第二關 0x002e
Check out the ascii value of handle 0x002e and submit it to the flag submision handle 0x002c. If you are using gatttool, make sure you convert it to hex with xxd. If you are using bleah, you can send it as a string value.
想讓你檢視 0x002e 句柄的 ASCII 碼值,那就是用 --char-read 了
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x002e
複制
可以看到輸出了一些十六進制的 ASCII,轉成 ASCII 後即是 flag
第三關 0x0030
Check out the ascii value of handle 0x0030. Do what it tells you and submit the flag you find to 0x002c.
讓我們檢查 0x0030 這個句柄的值,看看想讓我們做啥,檢視後轉為 ASCII 是 MD5 of Device Name,裝置名稱自然就是 BLECTF 了,取其 MD5 值的前 20 個字元
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0030
複制
第四關 0x0016
Bluetooth GATT services provide some extra device attributes. Try finding the value of the Generic Access -> Device Name.
這個沒明白啥意思,但是 README 裡的标題是 0x0016 就讀了
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0016
複制
第五關 0x0032
Read handle 0032 and do what it says. Notice that its not telling you to write to the flag handle as you have been. When you find the flag, go ahead and write it to the flag handle you have used in the past flags
先讀 0x0032 句柄的内容是 Write anything here,那就随便寫點東西
gatttool -b 08:3a:f2:b9:85:92 --char-read -a 0x0032
複制
再次檢視就是 flag 了,這裡我傻了,一開始寫了個 hello,結果檢視沒得分,沒明白咋回事以為做錯了,又去寫 anything,然後才想起來寫完之後再去看到的應該是 flag 了
第六關 0x0034
Follow the instructions found from reading handle 0x0034. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
檢視 0x0034:Write the ascii value "yo" here,讓我們寫 yo 到 0x0034 去
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0034 -n $(echo -n "yo"|xxd -ps)
複制
第七關 0x0036
Follow the instructions found from reading handle 0x0036. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
檢視 0x0036 句柄,讓我們寫 0x07 到該句柄,直接 -n 後面跟着就行
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 0x0036 -n 07
複制
第八關 0x003
Follow the instructions found from reading handle 0x0038. Pay attention to handles here. Keep in mind handles can be refrenced by integer or hex. Most tools such as gatttool and bleah allow you to specify handles both ways.
檢視句柄 0x0038 得到提示:Write 0xC9 to handle 58 他想告訴我們可以大多數工具的句柄可以用十進制或十六進制表示
gatttool -b 08:3a:f2:b9:85:92 --char-write-req -a 58 -n C9
複制