CTFtime.org

Low Energy Crypto

by CuBocan / \x4247Sec

Tags: bluetooth pcap forensics 

Rating: 5.0

PCAP file with some packets...

![](https://i.imgur.com/o10EBiY.png)
![](https://i.imgur.com/9YRdNBi.png)
![](https://i.imgur.com/d8K8BZO.png)

This is interesting, lets keep it:
```
-----BEGIN PUBLIC KEY-----
MGowDQYJKoZIhvcNAQEBBQADWQAwVgJBAKKPHxnmkWVC4fje7KMbWZf07zR10D0m
B9fjj4tlGkPOW+f8JGzgYJRWboekcnZfiQrLRhA3REn1lUKkRAnUqAkCEQDL/3Li
4l+RI2g0FqJvf3ff
-----END PUBLIC KEY-----
```
Move on:

https://medium.com/rtone-iot-security/deep-dive-into-bluetooth-le-security-d2301d640bfc

https://epxx.co/artigos/bluetooth_gatt.html

https://github.com/mikeryan/crackle:

```
Warning: No output file specified. Decrypted packets will be lost to the ether.
Found 1 connection

Analyzing connection 0:
34:36:3b:d4:3e:39 (public) -> f8:f3:44:db:9d:7a (random)
Found 0 encrypted packets
Unable to crack due to the following errors:
Missing both Mrand and Srand
Missing LL_ENC_REQ
Missing LL_ENC_RSP

Done, processed 0 total packets, decrypted 0

```

https://hackaday.com/2021/03/23/a-crash-course-on-sniffing-bluetooth-low-energy/

Ok, a lot of useful information about Bluetooth, but nothing about our challenge. I'm starting to think that this has nothing to do with Bluetooth at all and link layer encryption.

Go back to the pcap file and try to find other useful info.
Btw the frames with `Nordic UART` are actually generated from the BT LE sniffer and it reassembles the `L2CAP` frames for our convinience:
![](https://i.imgur.com/848Ixdi.png)

This looks like our flag, but its encrypted:

![](https://i.imgur.com/annFCj0.png)

Btw the `Master` is an Apple (Iphone?!) device and the`Slave` is the... lets say card reader. Another way to put it is:

* `Master` --> Browser
* `Slave` --> Web Server

So we have our `POST` data encrypted with the `private key`, but we have only the server's public key... what are we going to do ?
Lets try to find it's factors:

`openssl rsa -in ./low_energy_pub.key -text -inform PEM -pubin`:

```
RSA Public-Key: (512 bit)
Modulus:
00:a2:8f:1f:19:e6:91:65:42:e1:f8:de:ec:a3:1b:
59:97:f4:ef:34:75:d0:3d:26:07:d7:e3:8f:8b:65:
1a:43:ce:5b:e7:fc:24:6c:e0:60:94:56:6e:87:a4:
72:76:5f:89:0a:cb:46:10:37:44:49:f5:95:42:a4:
44:09:d4:a8:09
Exponent:
00:cb:ff:72:e2:e2:5f:91:23:68:34:16:a2:6f:7f:
77:df
writing RSA key
-----BEGIN PUBLIC KEY-----
MGowDQYJKoZIhvcNAQEBBQADWQAwVgJBAKKPHxnmkWVC4fje7KMbWZf07zR10D0m
B9fjj4tlGkPOW+f8JGzgYJRWboekcnZfiQrLRhA3REn1lUKkRAnUqAkCEQDL/3Li
4l+RI2g0FqJvf3ff
-----END PUBLIC KEY-----
```

Ok we have `Modulus` and we have `Exponent`, convert them (`hex`--> `int`) and use factorDB:
http://factordb.com/index.php?query=8513909239276702310463241660208946735793173678202359843895330781205141862524433952199829179032817317799281688615001183017023849565598840210953921231104009

Good! Our modulus is in the factorDB and is a product of only two primes ! Yey! We have everything we need to generate a `PRIVATE` key:

```
p = 92270847179792937622745249326651258492889546364106258880217519938223418249279

q = 92270847179792937622745249326651258492889546364106258880217519938223418258871

e = 271159649013582993327688821275872950239
```
I use a tool, because I'm lazy:
https://github.com/ius/rsatool

```
python rsatool.py -p 92270847179792937622745249326651258492889546364106258880217519938223418249279 -q 92270847179792937622745249326651258492889546364106258880217519938223418258871 -e 271159649013582993327688821275872950239 -o priv.key
```

```
-----BEGIN RSA PRIVATE KEY-----
MIIBRwIBAAJBAKKPHxnmkWVC4fje7KMbWZf07zR10D0mB9fjj4tlGkPOW+f8JGzgYJRWboekcnZf
iQrLRhA3REn1lUKkRAnUqAkCEQDL/3Li4l+RI2g0FqJvf3ffAkBYf1ugn3b6H1bdtLy+J6LCgPH+
K1E0clPrprjPjFO1pPUkxafxs8OysMDdT5VBx7dZRSLx7cCfTVWRTKSjwYKPAiEAy/9y4uJfkSNo
NBaib393y3GZu+QkufE43A3BMLPCED8CIQDL/3Li4l+RI2g0FqJvf3fLcZm75CS58TjcDcEws8I1
twIgJXpkF+inPgZETjVKdec6UGg75ZwW3WTPEoVANux3DscCIDjx+RSYECVaraeGG2O/v8iKe6dn
1GpMVGUuaKecISArAiA0QRYkZFB5D4BnOxGkMX3ihjn7NFPQ7+Jk/abWRRq6+w==
-----END RSA PRIVATE KEY-----
```

This is our encrrypted flag copied as `hex` stream:

```
392969b018ffa093b9ab5e45ba86b4aa070e78b839abf11377e783626d7f9c4091392aef8e13ae9a22844288e2d27f63d2ebd0fb90871016fde87077d50ae53800000000000000000000000000000000000000000000000000000000000000000000000000
```

Lets dump it into a file:
```
echo '392969b018ffa093b9ab5e45ba86b4aa070e78b839abf11377e783626d7f9c4091392aef8e13ae9a22844288e2d27f63d2ebd0fb90871016fde87077d50ae53800000000000000000000000000000000000000000000000000000000000000000000000000' | xxd -r -p > flag.enc
```

and try to decrypt ?

`openssl rsautl -decrypt -raw -inkey priv.key -in flag.enc`

```
RSA operation error
139698953651520:error:0406506C:rsa routines:rsa_ossl_private_decrypt:data greater than mod len:crypto/rsa/rsa_ossl.c:400:
```

Damn!

Lets remove the padding!? (trailing zeroes) and try again:

```
openssl rsautl -decrypt -raw -inkey priv.key -in flag.enc
�5����p+wɹ�[R�.;���^�bs� �6yCHTB{5p34k_fr13nd_4nd_3n73r}
```

Good enough... if we play around and find the right size, we can recover the first part of the message, but who cares !?
WE GOT THE FLAG!

Comments