ble_ctf_infinity
ble_ctf_infinity copied to clipboard
hackgnar
Three flags at once?
I'm not sure what happened but I'll try to piece together what happened.
Note: I have a write.sh as a shortcut to execute: gatttool -b $BTADDR --char-write-req -a $1 -n $(echo -n "$2"|xxd -ps)
The first day I followed the instructions on the wiki and tried using bettercap but that ble module was rather broken.
Then I set the flag to the first puzzle, and had the following output:
@ Enumerating all the things ...
┌──────────────┬────────────────────────────────────────────────────────────────────────┬─────────────┬───────────────────────────────────────────────────────┐
│ Handles │ Service > Characteristics │ Properties │ Data │
├──────────────┼────────────────────────────────────────────────────────────────────────┼─────────────┼───────────────────────────────────────────────────────┤
│ 0001 -> 0005 │ Generic Attribute ( 00001801-0000-1000-8000-00805f9b34fb ) │ │ │
│ 0003 │ Service Changed ( 00002a05-0000-1000-8000-00805f9b34fb ) │ INDICATE │ │
│ │ │ │ │
│ 0014 -> 001c │ Generic Access ( 00001800-0000-1000-8000-00805f9b34fb ) │ │ │
│ 0016 │ Device Name ( 00002a00-0000-1000-8000-00805f9b34fb ) │ READ │ u'04dc54d9053b4307680a' │
│ 0018 │ Appearance ( 00002a01-0000-1000-8000-00805f9b34fb ) │ READ │ Unknown │
│ 001a │ Central Address Resolution ( 00002aa6-0000-1000-8000-00805f9b34fb ) │ READ │ '\x00' │
│ │ │ │ │
│ 0028 -> ffff │ 00ff ( 000000ff-0000-1000-8000-00805f9b34fb ) │ │ │
│ 002a │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'docs: https://github.com/hackgnar/ble_ctf_infinity' │
│ 002c │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flags complete: 0 /10' │
│ 002e │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ WRITE │ u'-n12345678901234567890\n' │
│ 0030 │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ WRITE │ u'Write 0x0000 to 0x00FF to goto flag' │
│ 0032 │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ WRITE │ u'Write 0xC1EA12 to reset all flags' │
│ 0034 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 0: Incomplete' │
│ 0036 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 1: Incomplete' │
│ 0038 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 2: Incomplete' │
│ 003a │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 3: Incomplete' │
│ 003c │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 4: Incomplete' │
│ 003e │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 5: Incomplete' │
│ 0040 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 6: Incomplete' │
│ 0042 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 7: Incomplete' │
│ 0044 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 8: Incomplete' │
│ 0046 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 9: Incomplete' │
│ │ │ │ │
└──────────────┴────────────────────────────────────────────────────────────────────────┴─────────────┴───────────────────────────────────────────────────────┘
()
I then ran write.sh 0x002e 12345678901234567890 from your example on the github docs.
(write.sh is a shortcut for the gatttool command so I only have to give the handle and the data)
and I immediately got three flags at once:
@ Connecting to f0:08:d1:d3:78:d2 ... connected.
@ Enumerating all the things ...
┌──────────────┬────────────────────────────────────────────────────────────────────────┬─────────────┬───────────────────────────────────────────────────────┐
│ Handles │ Service > Characteristics │ Properties │ Data │
├──────────────┼────────────────────────────────────────────────────────────────────────┼─────────────┼───────────────────────────────────────────────────────┤
│ 0001 -> 0005 │ Generic Attribute ( 00001801-0000-1000-8000-00805f9b34fb ) │ │ │
│ 0003 │ Service Changed ( 00002a05-0000-1000-8000-00805f9b34fb ) │ INDICATE │ │
│ │ │ │ │
│ 0014 -> 001c │ Generic Access ( 00001800-0000-1000-8000-00805f9b34fb ) │ │ │
│ 0016 │ Device Name ( 00002a00-0000-1000-8000-00805f9b34fb ) │ READ │ u'04dc54d9053b4307680a' │
│ 0018 │ Appearance ( 00002a01-0000-1000-8000-00805f9b34fb ) │ READ │ Unknown │
│ 001a │ Central Address Resolution ( 00002aa6-0000-1000-8000-00805f9b34fb ) │ READ │ '\x00' │
│ │ │ │ │
│ 0028 -> ffff │ 00ff ( 000000ff-0000-1000-8000-00805f9b34fb ) │ │ │
│ 002a │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'docs: https://github.com/hackgnar/ble_ctf_infinity' │
│ 002c │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flags complete: 3 /10' │
│ 002e │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ WRITE │ u'Submit flags here' │
│ 0030 │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ WRITE │ u'Write 0x0000 to 0x00FF to goto flag' │
│ 0032 │ ff02 ( 0000ff02-0000-1000-8000-00805f9b34fb ) │ READ WRITE │ u'Write 0xC1EA12 to reset all flags' │
│ 0034 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 0: Complete ' │
│ 0036 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 1: Incomplete' │
│ 0038 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 2: Incomplete' │
│ 003a │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 3: Incomplete' │
│ 003c │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 4: Incomplete' │
│ 003e │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 5: Incomplete' │
│ 0040 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 6: Incomplete' │
│ 0042 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 7: Incomplete' │
│ 0044 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 8: Complete ' │
│ 0046 │ ff01 ( 0000ff01-0000-1000-8000-00805f9b34fb ) │ READ │ u'Flag 9: Complete ' │
│ │ │ │ │
└──────────────┴────────────────────────────────────────────────────────────────────────┴─────────────┴───────────────────────────────────────────────────────┘
()
I'm not sure if this is intentional, but I found this weird and thought that I ought to bring this up to you.
