Symbolic execution is an essential tool in modern program analysis and vulnerability discovery. The technique is used to both find and fix vulnerabilities as well as to identify and exploit them. In order to ensure that symbolic execution tools are used more for the former, rather than the latter, you will be tackling a set of scaffolded, polymorphic, ``capture-the-flag'' (CTF) exercises based on the open-source symbolic execution framework angr.

What you will build

You will deploy a Compute Engine instance, install Docker, and run the course's Docker image that contains the angr framework pre-installed. You will then download your CTF binaries.

What you'll learn

What you'll need

Install Ubuntu 18.04 VM

Install Docker on the VM

sudo apt update
sudo apt install -y docker.io
sudo usermod -a -G docker $(whoami)
newgrp docker

IMPORTANT

angr CTF binaries located at https://malware.oregonctf.org. Your binaries can be accessed via your <username> and <password> from site

sudo apt install -y virtualenv unzip python python-pip
mkdir angr_ctf; cd angr_ctf
virtualenv env; source env/bin/activate
pip install requests bs4
wget http://thefengs.com/wuchang/courses/cs492/meta_dl.py
python meta_dl.py malware.oregonctf.org <username> <password>
unzip angr.zip
chmod -R ugo+rwX .

Download and run the custom angr container (located on Docker Hub as wuchangfeng/angr)

docker run -di -w /home/angr/angr_ctf --security-opt seccomp=unconfined --user angr -v ~/angr_ctf:/home/angr/angr_ctf wuchangfeng/angr

Examine the running container and the container's image

docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                     PORTS               NAMES
6aa4ff2c9ebe        wuchangfeng/angr    "/bin/bash"         6 minutes ago       Up 2 seconds                                   stupefied_wiles
docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
wuchangfeng/angr    latest              a94482ca9403        4 days ago        2.44GB

Stop the container via its name. Note that docker supports command completion that will automatically fill in the name of the container. For a container called "stupefied_wiles", the command is

docker stop stupefied_wiles

See that it is no longer running via "docker ps" with the "-a" flag to list stopped containers

docker ps -a

Start the container again via its name, the command is

docker start stupefied_wiles

Now, execute an interactive shell on the container

docker exec -it stupefied_wiles /bin/bash

Within the shell running in the container, it may be handy to have multiple sessions. This can be done via tmux. Click here for a tutorial.

Change directories into directory mounted from the host

cd ~/angr_ctf

For each level, copy the scaffoldXX.py file into solveXX.py

for i in scaffold*
do
  cp $i $(echo $i | sed 's/scaffold/solve/')
done

For each CTF level, you will edit solveXX.py with your solution for the level XX_angr_.... For example, to solve the first level, you would run:

 python solve00.py

which might result in the following output:

(angr) angr@b58f1223ddf1:~/angr_ctf$ python solve00.py
JSFCFQFH
(angr) angr@b58f1223ddf1:~/angr_ctf$ ./00_angr_find
Enter the password: JSFCFQFH
Good Job.
(angr) angr@b58f1223ddf1:~/angr_ctf$

When you are done solving levels, exit the container.

Celebrate! (Or not). Be sure to stop the VM to save $.