BLE CTF
Summary
This tutorial explains how to setup an ESP-32 device for solving 20 flag based BLE challenges. Check out the CTF and the description of the flags: [1]
Requirements
- Operating systems: Ubuntu 18.04 bionic amd64, Kali
- On Kali you'll have to install the bluetooth package:
apt-get install bluetooth
Description
Step 1 - Standard Setup of Toolchain for Linux
Install prerequisites:
sudo apt-get install gcc git wget make libncurses-dev flex bison gperf python python-pip python-setuptools python-serial python-cryptography python-future python-pyparsing
Download ESP32 toolchain for Linux and extract it in ~/esp directory:
mkdir -p ~/esp cd ~/esp tar -xzf ~/Downloads/xtensa-esp32-elf-linux64-1.22.0-80-g6c4433a-5.2.0.tar.gz
Update your PATH environment variable in ~/.profile to use the toolchain. To do this, add the following line to your ~/.profile file:
export PATH="$HOME/esp/xtensa-esp32-elf/bin:$PATH"
Log off and log back in to make the changes effective. Run the following command to verify if PATH is correctly set:
printenv PATH
The output should contain (userName gets replaced by your user name):
/home/userName/esp/xtensa-esp32-elf/bin
Step 2 - Install ESP-IDF
Go to ~/esp and clone the repository:
cd ~/esp git clone --recursive https://github.com/espressif/esp-idf.git
Set the IDF_PATH environment variable. To do this, add the following line to ~/.profile:
export IDF_PATH=~/esp/esp-idf
Log off and log back in to make the changes effective.
Verify if the variable has been set correctly:
printenv IDF_PATH
The output should display the previously entered path (replace userName with your user name):
/home/userName/esp/esp-idf
Step 3 - Install Python packages
Run:
python -m pip install --user -r $IDF_PATH/requirements.txt
KALI --> if you get an error on Kali you have to configure the Makefile by adding:
ESP_IDF = ~/esp/esp-idf
Step 4 - Connect the device
Make sure your device is unplugged, then run:
ls /dev/tty*
Plug your device into the host computer and run again:
ls /dev/tty*
The port that appears the second time is the one needed.
Step 5 - CTF Setup
Unplug your device.
Change into your ~/esp directory and execute the following commands:
cd ~/esp git clone https://github.com/hackgnar/ble_ctf.git cd ble_ctf make menuconfig
A window appears. Navigate to "Serial flasher config" > "Default Serial port" and enter the port you found out in step 4. Confirm, save and exit.
make
Plug your device into your host computer.
make flash
Press the RST button on your device.
Step 6 - First Interaction with ESP-32 via BLE
Discover the MAC address of your device:
sudo hcitool lescan
The device with the description "BLECTF" is your device.
Display current score (replace the x's with the MAC address discovered before):
gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
The terminal should display:
Score: 0/20
Step 7 - Upload your first flag
Run (replace the x's with your MAC address):
gatttool -b xx:xx:xx:xx:xx:xx --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
Display the score (replace the x's with your MAC address):
gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
The output should now display:
Score:1 /20
Congratulations!! You successfully setup your ESP-32 and successfully uploaded the first flag! :)
Used Hardware
- Ubuntu host computer
- ESP-32 NodeMCU Development Board
- Micro USB cable
References
- http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-ctf.html?m=1
- https://docs.espressif.com/projects/esp-idf/en/latest/get-started/#setup-toolchain
- https://docs.espressif.com/projects/esp-idf/en/latest/get-started/add-idf_path-to-profile.html
- https://docs.espressif.com/projects/esp-idf/en/latest/get-started/establish-serial-connection.html
- https://github.com/hackgnar/ble_ctf/blob/master/docs/setup.md