Home

Awesome

Follow Hackgnar

BLE Capture the Flag

The purpose of BLE CTF is to teach the core concepts of Bluetooth Low Energy client and server interactions. While it has also been built to be fun, it was built with the intent to teach and reinforce core concepts that are needed to plunge into the world of Bluetooth hacking. After completing this CTF, you should have everything you need to start fiddling with any BLE GATT device you can find.

Setting Up the CTF

In order to set up the CTF you will need the following:

  1. The pre-compiled firmware or source code in this repository to build and flash an ESP32 with the CTF GATT server.
  2. An esp32 microcontroller (I sell overpriced pre-flashed ones here)
  3. A Linux box (OSX/Win + Linux VM works) with a bluetooth controller or a bluetooth usb dongle
  4. Bluetooth tools such as Bluez tools (hcitool, gatttool, etc) or bleah

For instructions to compile/flash your own firmware or flash the provided pre-compiled firmware read this documentation

Flags

How to Submit Flags

Before you can submit flags, you have to discover the Bluetooth MAC address of your device. Here are a couple example commands to help you find your device:

Discover MAC using hcitool:
sudo hcitool lescan

Discover MAC using bleah:
sudo bleah

Now that you have found your device’s MAC address, you can now communicate with it. Before we get started with flags, let’s check out how we can see our current score. In order to see where you are in the CTF, you can read from handle 42 on the device to see how many flags you have. The following are example commands of how to view your current score. Make sure you replace the MAC address in the example commands with the MAC address of your device.

Show score with gatttool:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'

Show score with bleah:
sudo bleah -b "30:ae:a4:20:79:da" -e

Ok, ok, ok, on to the flags! All flags are md5 sums truncated to 20 characters to avoid MTU limits by some hardware. They can be submitted to the gatt server on handle 44. The following are examples of how to submit a flag. Make sure you replace the MAC address in the example commands with the MAC address of your device:

Submit using gatttool:
gatttool -b de:ad:be:ef:be:f1 --char-write-req -a 0x002c -n $(echo -n "some flag value"|xxd -ps)

Submit using bleah:
sudo bleah -b "30:ae:a4:20:79:da" -n 0x002c -d "some flag value"

Flag Hints

FlagDescriptionHint
Flag 1This flag is a gift and can only be obtained from reading the hint!Read Me!
Flag 0x002eLearn how to read handlesMore
Flag 0x0030Read handle puzzle funMore
Flag 0x0016Learn about discoverable device attributesMore
Flag 0x0032Learn about reading and writing to handlesMore
Flag 0x0034Learn about reading and writing ascii to handlesMore
Flag 0x0036Learn about reading and writing hex to handlesMore
Flag 0x0038Learn about reading and writing to handles differentlyMore
Flag 0x003cLearn about write fuzzingMore
Flag 0x003eLearn about read and write speedsMore
Flag 0x0040Learn about single response notificationsMore
Flag 0x0042Learn about single response indicateMore
Flag 0x0046Learn about multi response notificationsMore
Flag 0x0048Learn about multi response indicateMore
Flag 0x004cLearn about BT client device attributesMore
Flag 0x004eLearn about message sizes MTUMore
Flag 0x0050Learn about write responsesMore
Flag 0x0052Hidden notify propertyMore
Flag 0x0054Use multiple handle propertiesMore
Flag 0x0056OSINT the author!More