BLE CTF

Summary

This tutorial explains how to setup an ESP-32 device for solving 20 flag based BLE challenges. Check out the CTF and the description of the flags: [1]

Requirements

• Operating systems: Ubuntu 18.04 bionic amd64, Kali
• On Kali you'll have to install the bluetooth package:

apt-get install bluetooth

• You might have to start the bluetooth service:

service bluetooth start

Description

Step 1 - Standard Setup of Toolchain for Linux

Install prerequisites:

sudo apt-get install git wget flex bison gperf python3 python3-pip python3-setuptools cmake ninja-build ccache libffi-dev libssl-dev dfu-util libusb-1.0-0

Download ESP32 toolchain for Linux and extract it in ~/esp directory:

mkdir -p ~/esp
cd ~/esp
tar -xzf ~/Downloads/xtensa-esp32-elf-linux64-1.22.0-80-g6c4433a-5.2.0.tar.gz

Update your PATH environment variable in ~/.profile to use the toolchain. To do this, add the following line to your ~/.profile file:

export PATH="$HOME/esp/xtensa-esp32-elf/bin:$PATH"

On UBUNTU: log off and log back in to make the changes effective. On KALI do not log off.

Run the following command to verify if PATH is correctly set:

printenv PATH

The output in Ubuntu should contain (userName gets replaced by your user name):

/home/userName/esp/xtensa-esp32-elf/bin

Step 2 - Install ESP-IDF

Go to ~/esp and clone the repository:

cd ~/esp
git clone --recursive https://github.com/espressif/esp-idf.git

Set the IDF_PATH environment variable. To do this, add the following line to ~/.profile:

export IDF_PATH=~/esp/esp-idf

Log off and log back in to make the changes effective.

Verify if the variable has been set correctly:

printenv IDF_PATH

The output should display the previously entered path (replace userName with your user name):

/home/userName/esp/esp-idf

Step 3 - Install Python packages

Run installation script:

cd ~/esp-idf
./install.sh esp32

Step 4 - Connect the device

Make sure your device is unplugged, then run:

ls /dev/tty*

Plug your device into the host computer and run again:

ls /dev/tty*

The port that appears the second time is the one needed.

Step 5 - CTF Setup

Unplug your device.

Change into your ~/esp directory and execute the following commands:

cd ~/esp
git clone https://github.com/hackgnar/ble_ctf.git
cd ble_ctf
make menuconfig

Make sure to turn Bluetooth in the "Component config" on.

If you receive a error while the make command, please rerun make menuconfig. Go to Compiler options ---> Turn on the "Disable new warnings introduced in GCC 6 - 8" option.

KALI --> if you get an error on Kali you have to configure the Makefile by adding:

ESP_IDF = ~/esp/esp-idf

A window appears. Navigate to "Serial flasher config" > "Default Serial port" and enter the port you found out in step 4. Confirm, save and exit.

make

Plug your device into your host computer.

make flash

Press the RST button on your device.

Step 6 - First Interaction with ESP-32 via BLE

Discover the MAC address of your device:

sudo hcitool lescan

The device with the description "BLECTF" is your device.

Display current score (replace the x's with the MAC address discovered before):

gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' 

The terminal should display:

Score: 0/20

Step 7 - Upload your first flag

Run (replace the x's with your MAC address):

gatttool -b xx:xx:xx:xx:xx:xx --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)

Display the score (replace the x's with your MAC address):

gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' 

The output should now display:

Score:1 /20

Congratulations!! You successfully setup your ESP-32 and successfully uploaded the first flag! :)

Important Commands for the BLE CTF

Start the BLE CTF: https://github.com/hackgnar/ble_ctf

hciconfig

sudo hciconfig -a

...lists all hci interfaces

   sudo hciconfig hciX down
   sudo hciconfig hciX up

You might need this on receiving I/O errors.

hcitool

sudo hcitool lescan

...lists all availble BLE devices.

gatttool

sudo gatttool -i hci0 -b XX:XX:XX:XX:XX:XX --characteristics 

...lists all characteristics/handles of the GATT server

sudo gatttool -b XX:XX:XX:XX:XX:XX --char-read -a 0x0011 

...reading the characteristic/handle value from handle 0x0011

sudo gatttool -b XX:XX:XX:XX:XX:XX --char-write -a 0x0011 -n 0x1122

...writes the value 0x1122 to characteristic/handle 0x0011

gatttool -b XX:XX:XX:XX:XX:XX --char-read -a 0x0011 --listen

...streams data while subscription / listening

gatttool -b XX:XX:XX:XX:XX:XX -I

...for persistent connections to a GATT server

Speed-up Shell script for retrieving the current score:

$ cat <<EOF > score.sh
#!/bin/bash
gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a | awk -F':' '{print \$2}' | tr -d ' ' | xxd -r -p; printf '\n'
EOF
$ chmod u+x score.sh
$ ./score.sh

Used Hardware

• Ubuntu host computer
• ESP-32 NodeMCU Development Board
• Micro USB cable

References

• http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-ctf.html?m=1
• https://docs.espressif.com/projects/esp-idf/en/latest/get-started/#setup-toolchain
• http://web.archive.org/web/20181214013848/https://docs.espressif.com/projects/esp-idf/en/latest/get-started/add-idf_path-to-profile.html
• https://docs.espressif.com/projects/esp-idf/en/latest/get-started/establish-serial-connection.html
• https://github.com/hackgnar/ble_ctf/blob/master/docs/setup.md