iot小白最近入门BLE,看到yichen115师傅关于BLECTF的文章,感觉挺不错的,同时去年该项目有了更新,就自己试着做了做。并且针对yichen115师傅文章没写的地方进行补充。
一
环境搭建
esp32
的板子跟一个支持linux平台的蓝牙适配器或者USB加密狗。esptool
工具,这是一个基于 Python、开源、独立于平台的实用程序,用于与 Espressif 芯片中的 ROM 引导加载程序进行通信。我们得用它来烧录。sudo apt-get install esptool
ble_ctf
项目,/dev/ttyUSB0
是我们的串口名称。git clone https://github.com/hackgnar/ble_ctf
cd ble_ctf
esptool -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin
二
相关知识
hcitool
工具来对BLE
设备进行控制。hcitool
搜索BLE
设备来找到我们蓝牙设备的MAC
地址。sudo hcitool lescan
BLE
设备建立连接后如何传输属性(数据),其中有三个相当重要的概念:Profile(配置文件)、Service(服务)、Characteristics(特征)
,它们可以抽象成以下包含关系:GATT
主要是负责在两个已经连接的设备交互数据,定义了BLE
网络堆栈的一般拓扑的GAP
层把BLE
设备区分为主机Master(Central)
和从机Slave(Perpherial)
。一般我们将从机
具有的数据或者属性特征,称之为Profile
(配置文件)。Characteristic
组成一个Service
,一个或多个Service
组成Profile。
Service
和Characteristic
,然后与之通信。Service
可以理解为一个功能集合,Characteristic
是主从通信的最小单元,是一个抽象功能单元。◆主机可主动向从机Write
写入或Read
读取数据。
◆从机可主动向主机Notify
通知数据。
GATT
层则区分为Server
和Client。
◆客户端(Client):客户端可以发送请求给GATT服务端,读取和写入存储在服务端的特征值(Characteristics )。
◆服务端(Server):该设备包含由GATT
客户端读取或写入的Characteristic
,每当客户端发送请求时,服务端就会接受并执行相应的请求。
Characteristic
一般包含以下特征:◆UUID(Universally Unique Identifier):用于唯一标识Characteristic。
◆Properties(属性):指定了Characteristic的行为,例如读取、写入、通知等。
◆Value(值):存储Characteristic的当前值。
◆Descriptors(描述符):提供了关于Characteristic的更多信息,如读写权限、单位、格式等。
BLECTF
的esp32
,它由很多Characteristic
组成。handle
举例,它就相当于某个Characteristic
的编号handle
的Value/Descriptor
,可以得到以下信息。1a
就是特征属性,代表权限。46
是这个特征的特征值的句柄 ,我们可以通过其去查看这个特征的描述。00 0f ff
是UUID
的缩略。handle
去读取Value/Descriptor
,得到的就是这个特征的描述。Attributes(属性)
,这是一个更一般的术语,用于表示特征
中的各种信息。它可以包含Characteristic
的UUID、Properties、Value、Descriptors等。Attributes用于描述和定义特征
的各个方面,以便设备之间能够理解和交换数据。hcitool
对于BLE
设备只能进行连接上的管理,如果需要更精细化的管理,就需要使用gatttool。
GATT commands
--primary 用于进行主服务发现,查找蓝牙设备上的主服务
--characteristics 用于进行特征发现,查找指定主服务下的特征
--char-read 用于写入特征的值,需要指定一个句柄
--char-write 用于写入特征的值,不需要响应
--char-write-req 用于写入特征的值,需要响应
--char-desc 于进行特征描述符发现,查找指定特征下的描述符
--listen 监听特征的通知和指示Primary Services/Characteristics arguments
-s, --start=0x0001 用于指定起始句柄(可选)
-e, --end=0xffff 用于指定结束句柄(可选)
-u, --uuid=0x1801 用于指定16bit或者128bit的UUID(可选)Characteristics Value/Descriptor Read/Write arguments
-a, --handle=0x0001 用于指定要读取或写入的特征或描述符的句柄
-n, --value=0x0001 用于指定要写入的特征值Application Options:
-i, --adapter=hciX 用于指定本地适配器接口,如hci0
-b, --device=MAC 用于指定远程蓝牙设备的MAC地址
-t, --addr-type=[public | random] 用于设置LE地址类型,可以选择公共地址还是随机地址,默认公共地址
-m, --mtu=MTU 用于指定ATT协议MTU大小
-p, --psm=PSM 用于指定GATT/ATT over BR/EDR的PSM
-l, --sec-level=[low | medium | high] 用于设置安全级别,可以选择低、中、高,默认低安全级别
-I, --interactive 用于启用交互模式
help 显示帮助信息
exit 退出交互模式
quit 退出交互模式
connect [address [address type]] 连接到远程设备
disconnect 断开与远程设备的连接
primary [UUID] 发现主要服务
included [start hnd [end hnd]] 查找包含的服务
characteristics [start hnd [end hnd [UUID]]] 发现特征
char-desc [start hnd] [end hnd] 发现特征描述符
char-read-hnd <handle> 通过句柄读取特征值/描述符
char-read-uuid <UUID> [start hnd] [end hnd] 通过UUID读取特征值/描述符
char-write-req <handle> <new value> 写入特征值(写请求)
char-write-cmd <handle> <new value> 写入特征值(无响应)
sec-level [low | medium | high] 设置安全级别,默认为低安全级别
mtu <value> 设置交换GATT/ATT的MTU(最大传输单元)
gatttool -b 08:B6:1F:B9:59:72 --characteristics
handle
是特征的句柄,char properties
是特征的属性,char value handle
是特征值的句柄,uuid
是特征的通用唯一标识符。三
关卡
gatttool
查看分数gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
gatttool
提交flag获得分数gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x002c -n $(echo -n "some flag value"|xxd -ps)
Flag one is a gift! You can only obtain it by reading this document or peaking at the source code. In short, this flag is to get you familiar with doing a simple write to a BLE handle. Do the following to get your first flag. Make sure you replace the MAC address in the examples below with your devices mac address!
BLE
句柄的特征进行简单的写入。gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
0x2c
句柄提交flag。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
Check out the ascii value of handle 0x002e and submit it to the flag submision handle 0x002c. If you are using gatttool, make sure you convert it to hex with xxd. If you are using bleah, you can send it as a string value.
--char-read
加-a
指定0x002e。
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x002e
d205303e099ceff44835。
Check out the ascii value of handle 0x0030. Do what it tells you and submit the flag you find to 0x002c.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0030
MD5 of Device Name。
BLECTF
进行MD5
加密后得到值取前20位就是flag。Bluetooth GATT services provide some extra device attributes. Try finding the value of the Generic Access -> Device Name.
Generic Access
服务的UUID是预定义为00001800-0000-1000-8000-00805f9b34fb。
--primary
指令来发现所有的GATT
主服务。gatttool -b 08:B6:1F:B9:59:72 --primary
00001800-0000-1000-8000-00805f9b34fb
,所以第二个服务就是Generic Access
,根据它提供的句柄范围再去查看特征与句柄。gatttool -b 08:B6:1F:B9:59:72 --characteristics --start=0x0014 --end=0x001c
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0016
2b00042f7481c7b056c4b410d28f33cf
取前20位。Read handle 0032 and do what it says. Notice that its not telling you to write to the flag handle as you have been. When you find the flag, go ahead and write it to the flag handle you have used in the past flags.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0032
Write anything here。
gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0032 -n $(echo -n "2b00042f7481c7b056c4"|xxd -ps)
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0032
3873c0270763568cf7aa。
Follow the instructions found from reading handle 0x0034. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0034
Write the ascii value "yo" here。
c55c6314b3db0a6128af。
Follow the instructions found from reading handle 0x0036. Keep in mind that some tools only write hex values while other provide methods for writing either hex or ascii
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0036
Write the hex value 0x07 here。
-n
直接接上对应的值就行了。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0036 -n 07
1179080b29f8da16ad66。
Follow the instructions found from reading handle 0x0038. Pay attention to handles here. Keep in mind handles can be refrenced by integer or hex. Most tools such as gatttool and bleah allow you to specify handles both ways.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0038
Write 0xC9 to handle 58。
gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 58 -n C9
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 58
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x38
f8b136d937fad6a2be9f。
Take a look at handle 0x003c and do what it says. You should script up a solution for this one. Also keep in mind that some tools write faster than others.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x003c
Brute force my value 00 to ff。
#!/bin/zsh for value in $(seq 0 255); do
hex_value=$(printf "%02X" $value)
gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x003c -n $hex_value
sleep 0.5
done
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x3c
933c1fcfa8ed52d2ec05。
Talke a look at handle 0x003e and do what it says. Keep in mind that some tools have better connection speeds than other for doing reads and writes. This has to do with the functionality the tool provides or how it uses cached BT connections on the host OS. Try testing different tools for this flag. Once you find the fastest one, whip up a script or bash 1 liner to complete the task. FYI, once running, this task takes roughly 90 seconds to complete if done right.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x003e
Read me 1000 times。
#!/bin/zsh for ((i=1; i<=1000; i++)); do
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x3e
sleep 0.1
done
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x3e
6ffcd214ffebdc0d069e。
Check out handle 0x0040 and google search gatt notify. Some tools like gatttool have the ability to subscribe to gatt notifications
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0040
Listen to me for a single notification
,这个是让我们监听该句柄的一次通知。Write
写入或Read
读取数据,从机可主动向主机Notify
通知数据。char-write-req -a 0x0040 -n 00
,往该句柄以需要响应的形式写入数据,这样就可以启用通知。
--listen
开启监听就能接收到该句柄发送的通知(Notify
)和指示(indicate
)。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0040 -n 00 --listen
5ec3772bcd00cf06d8eb。
Check out handle 0x0042 and google search gatt indicate. For single response indicate messages, like this challenge, tools such as gatttool will work just fine.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0044
Listen to handle 0x0044 for a single indication
,让我们监听该句柄的一次指示。ACK
)来表示确认收到。gatttool
的操作其实跟上一题一样。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0044 -n 00 --listen
c7b86dd121848c77c113。
Check out handle 0x0046 and do what it says. Keep in mind that this notification clallange requires you to recieve multiple responses in order to complete.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0046
Listen to me for multi notifications
,就是接收多个通知,没啥区别,因为我们的监听功能是持续的,能一直接收。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0046 -n 00 --listen
c9457de5fd8cafe349fd
与U no want this msg。
Check out handle 0x0042 and google search gatt indicate. Keep in mind that this chalange will require you to parse multiple indicate responses in order to complete the chalange.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0048
Listen to handle 0x004a for multi indications
,上题同理。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x004a -n 00 --listen
b6f3a47f207d38e16ffa。
Check out handle 0x004c and do what it says. Much like ethernet or wifi devices, you can also change your bluetooth devices mac address.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x004c
Connect with BT MAC address 11:22:33:44:55:66
11:22:33:44:55:66。
README
,是支持我这个CSR4.0
的蓝牙适配器的。但是如果你去看看这个项目issue
,可以发现修改CSR
的设备的MAC
地址时会有问题,就是显示修改成功,但是实际MAC
地址还是原来的那个,我自己在修改时也发现这个问题。不过后来,把蓝牙适配器拔了再插上去后去查看,发现MAC
地址成功改变了!sudo ./bdaddr -i hci0 11:22:33:44:55:66
aca16920583e42bdcf5f。
Read handle 0x0048 and do what it says. Setting MTU can be a tricky thing. Some tools may provide mtu flags, but they dont seem to really trigger MTU negotiations on servers. Try using gatttool's interactive mode for this task. By default, the BLECTF server is set to force an MTU size of 20. The server will listen for MTU negotiations, and look at them, but we dont really change the MTU in the code. We just trigger the flag code if you trigger an MTU event with the value specified in handle 0x0048. GLHF!
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x004e
Set your connection MTU to 444。
-m
来设置有些问题,不过可以进入交互模式来设置。gatttool -b 08:B6:1F:B9:59:72 -I
connect
mtu 444
b1e409e5a4eaf9fe5158。
Check out handle 0x0050 and do what it says. This chalange differs from other write chalanges as your tool that does the write needs to have write response ack messages implemente correctly. This flag is also tricky as the flag will come back as notification response data even though there is no "NOTIFY" property.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0050
Write+resp 'hello'
,只需要注意只能使用--char-write-req
,而不能使用--char-write
就行了。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0050 -n $(echo -n "hello"|xxd -ps)
d41d8cd98f00b204e980。
Take a look at handle 0x0052. Notice it does not have a notify property. Do a write here and listen for notifications anyways! Things are not always what they seem!
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0052
No notifications here! really?
gatttool -b 08:B6:1F:B9:59:72 --characteristics
0x0052
句柄值对应属性值为0x0a
,所以它应该只有写入和读取权限,但是我们主动向其写入输入来启用通知,从而监听服务端的通知。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0052 -n 00 --listen
fc920c68b6006169477b。
Check out all of the handle properties on 0x0054! Poke around with all of them and find pieces to your flag.
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0054
So many properties!
,我们可以看到该句柄属性值为0x9b,其对应权限为广播、读取、带响应写入、通知、扩展。gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0054 -n 00
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0054
gatttool -b 08:B6:1F:B9:59:72 --char-write-req -a 0x0054 -n 00 --listen
fbb966958f07e4a0cc48。
Figure out the authors twitter handle and do what 0x0056 tells you to do!
gatttool -b 08:B6:1F:B9:59:72 --char-read -a 0x0056
md5 of author's twitter handle。
@hackgnar。
d953bfb9846acc2e15ee。
看雪ID:Arahat0
https://bbs.kanxue.com/user-home-964693.htm
# 往期推荐
球分享
球点赞
球在看
点击阅读原文查看更多