BLE CTF

Summary

This tutorial explains how to setup an ESP-32 device for solving 20 flag based BLE challenges.

Requirements

• Operating systems: Ubuntu 18.04 bionic amd64, Kali
• On Kali you'll have to install the bluetooth package

apt-get install bluetooth

Description

Step 1 - Standard Setup of Toolchain for Linux

Install prerequisites:

sudo apt-get install gcc git wget make libncurses-dev flex bison gperf python python-pip python-setuptools python-serial python-cryptography python-future python-pyparsing

Download ESP32 toolchain for Linux and extract it in ~/esp directory:

mkdir -p ~/esp
cd ~/esp
tar -xzf ~/Downloads/xtensa-esp32-elf-linux64-1.22.0-80-g6c4433a-5.2.0.tar.gz

Update your PATH environment variable in ~/.profile to use the toolchain. To do this, add the following line to your ~/.profile file:

export PATH="$HOME/esp/xtensa-esp32-elf/bin:$PATH"

Log off and log back in to make the changes effective. Run the following command to verify if PATH is correctly set:

printenv PATH

The output should contain (userName gets replaced by your user name):

/home/userName/esp/xtensa-esp32-elf/bin

Step 2 - Install ESP-IDF

Go to ~/esp and clone the repository:

cd ~/esp
git clone --recursive https://github.com/espressif/esp-idf.git

Set the IDF_PATH environment variable. To do this, add the following line to ~/.profile:

export IDF_PATH=~/esp/esp-idf

Log off and log back in to make the changes effective.

Verify if the variable has been set correctly:

printenv IDF_PATH

The output should display the previously entered path (replace userName with your user name):

/home/userName/esp/esp-idf

Step 3 - Install Python packages

Run:

python -m pip install --user -r $IDF_PATH/requirements.txt

KALI --> if you get an error on Kali you have to configure the Makefile by adding:

ESP_IDF = ~/esp/esp-idf

Step 4 - Connect the device

Make sure your device is unplugged, then run:

ls /dev/tty*

Plug your device into the host computer and run again:

ls /dev/tty*

The port that appears the second time is the one needed.

Step 5 - CTF Setup

Unplug your device.

Change into your ~/esp directory and execute the following commands:

cd ~/esp
git clone https://github.com/hackgnar/ble_ctf.git
cd ble_ctf
make menuconfig

A window appears. Navigate to "Serial flasher config" > "Default Serial port" and enter the port you found out in step 4. Confirm, save and exit.

make

Plug your device into your host computer.

make flash

Press the RST button on your device.

Step 6 - First Interaction with ESP-32 via BLE

Discover the MAC address of your device:

sudo hcitool lescan

The device with the description "BLECTF" is your device.

Display current score (replace the x's with the MAC address discovered before):

gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' 

The terminal should display:

Score: 0/20

Step 7 - Upload your first flag

Run (replace the x's with your MAC address):

gatttool -b xx:xx:xx:xx:xx:xx --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)

Display the score (replace the x's with your MAC address):

gatttool -b xx:xx:xx:xx:xx:xx --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' 

The output should now display:

Score:1 /20

Congratulations!! You successfully setup your ESP-32 and successfully uploaded the first flag! :)

Used Hardware

• Ubuntu host computer
• ESP-32 NodeMCU Development Board
• Micro USB cable

References

• http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-ctf.html?m=1
• https://docs.espressif.com/projects/esp-idf/en/latest/get-started/#setup-toolchain
• https://docs.espressif.com/projects/esp-idf/en/latest/get-started/add-idf_path-to-profile.html
• https://docs.espressif.com/projects/esp-idf/en/latest/get-started/establish-serial-connection.html
• https://github.com/hackgnar/ble_ctf/blob/master/docs/setup.md