BLE CTF
Summary
This tutorial explains how to setup an ESP-32 device for solving 20 flag based BLE challenges.
Requirements
- Operating system: Ubuntu 18.04 bionic amd64
Description
Step 1 - Standard Setup of Toolchain for Linux
Install prerequisites:
sudo apt-get install gcc git wget make libncurses-dev flex bison gperf python python-pip python-setuptools python-serial python-cryptography python-future python-pyparsing
Download ESP32 toolchain for Linux and extract it in ~/esp directory:
mkdir -p ~/esp cd ~/esp tar -xzf ~/Downloads/xtensa-esp32-elf-linux64-1.22.0-80-g6c4433a-5.2.0.tar.gz
Update your PATH environment variable in ~/.profile to use the toolchain. To do this, add the following line to your ~/.profile file:
export PATH="$HOME/esp/xtensa-esp32-elf/bin:$PATH"
Log off and log back in to make the changes effective. Run the following command to verify if PATH is correctly set:
printenv PATH
The output should contain (userName gets replaced by your user name):
/home/userName/esp/xtensa-esp32-elf/bin
Step 2 - Install ESP-IDF
Go to ~/esp and clone the repository:
cd ~/esp git clone --recursive https://github.com/espressif/esp-idf.git
Set the IDF_PATH environment variable. To do this, add the following line to ~/.profile:
export IDF_PATH=~/esp/esp-idf
Log off and log back in to make the changes effective.
Verify if the variable has been set correctly:
printenv IDF_PATH
The output should display the previously entered path (replace userName with your user name):
/home/userName/esp/esp-idf
Step 3 - Install Python packages
Run:
python -m pip install --user -r $IDF_PATH/requirements.txt
Step 4 - Connect the device
Make sure your device is unplugged, then run:
ls /dev/tty*
Plug your device into the host computer and run again:
ls /dev/tty*
The port that appears the second time is the one needed.
Step 5 - CTF Setup
Unplug your device.
Change into your ~/esp directory and execute the following commands:
cd ~/esp git clone https://github.com/hackgnar/ble_ctf.git cd ble_ctf make menuconfig
A window appears. Navigate to "Serial flasher config" > "Default Serial port" and enter the port you found out in step 4. Confirm, save and exit.
make
Plug your device into your host computer.
make flash
Step 6 - First Interaction with ESP-32 via BLE
Discover the MAC address of your device:
sudo hcitool lescan
The device with the description "BLECTF" is your device.
Display current score (replace the x's with the MAC address discovered before):
gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
The terminal should display:
Score: 0/20
Step 7 - Upload your first flag
Run (replace the x's with your MAC address):
gatttool -b xx:xx:xx:xx:xx:xx --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
Display the score (replace the x's with your MAC address):
gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
The output should now display:
Score:1 /20
Congratulations!! You successfully setup your ESP-32 and successfully uploaded the first flag! :)
Used Hardware
- Ubuntu host computer
- ESP-32 NodeMCU Development Board
- Micro USB cable
References
- http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-ctf.html?m=1
- https://docs.espressif.com/projects/esp-idf/en/latest/get-started/#setup-toolchain
- https://docs.espressif.com/projects/esp-idf/en/latest/get-started/add-idf_path-to-profile.html
- https://docs.espressif.com/projects/esp-idf/en/latest/get-started/establish-serial-connection.html
- https://github.com/hackgnar/ble_ctf/blob/master/docs/setup.md