A Capture The Flag (CTF) challenge designed to teach Bluetooth Low Energy (BLE) and NFC exploitation, all inside a custom Android app that mimics a vulnerable mobile POS terminal.
- BLE GATT service with vulnerable read/write characteristics
- Flag hidden behind a custom BLE command (
SEND_FLAG_2) - Price input keypad and simulated transaction flow
- NFC card detection (IsoDep)
- Challenge-ready for in-person or remote CTFs
- 🔍 Discover the BLE GATT service and characteristic
- 🧼 Read the characteristic value – get
LOCKED - ✍️ Send the correct command (
SEND_FLAG_2) via BLE write - 🎉 Receive flag
FLAG{ble-basic-read} - (Optional) Tap a card to activate a future NFC-based flag
- nRF Connect (Android/iOS)
gatttool(Linux command-line BLE client)- A compatible NFC tag or credit card (e.g. IsoDep or MIFARE)
-
Clone the repo:
git clone https://github.com/nullc0rp/bluempos.git cd bluempos -
Open the project in Android Studio.
-
Let it sync Gradle (accept prompts, install SDKs if needed).
-
Run the app on a connected device via USB or Wi-Fi:
- Select device
- Click
▶️ “Run”
-
Or build a release APK:
- Go to Build > Build Bundle(s) / APK(s) > Build APK(s)
- The APK will be located in:
app/build/outputs/apk/debug/app-debug.apk
./gradlew assembleDebugAPK will be located at:
app/build/outputs/apk/debug/app-debug.apk
You can install it on your device using:
adb install app/build/outputs/apk/debug/app-debug.apk✅ Make sure you have
adbandandroid-toolsinstalled on Arch:
sudo pacman -S android-toolssudo pacman -S bluez bluez-utils
sudo gatttool -I
[ ]# connect XX:XX:XX:XX:XX:XX
[ ]# char-write-req 0x0025 53454E445F464C41475F32
[ ]# char-read-hnd 0x0025
# Should return FLAG{ble-basic-read}(Replace 0x0025 with your actual characteristic handle)
- Add flag for NFC APDU
- Add SPP (Bluetooth Classic) command handler
- Add BLE notification-based flag
- Add real mPOS-style UI polish
© 2025 nullc0rp // CTF-safe, open source