Symbolic execution is an essential tool in modern program analysis and vulnerability discovery. The technique is used to both find and fix vulnerabilities as well as to identify and exploit them. In order to ensure that symbolic execution tools are used more for the former, rather than the latter, you will be tackling a set of scaffolded, polymorphic, ``capture-the-flag'' (CTF) exercises based on the open-source symbolic execution framework angr.
You will deploy a Compute Engine instance, install Docker, and run the course's Docker image that contains the angr framework pre-installed. You will then download your CTF binaries.
sudo apt update sudo apt install -y docker.io sudo usermod -a -G docker $(whoami) newgrp docker
angr CTF binaries located at https://malware.oregonctf.org. Your binaries can be accessed via your
<password> from site
sudo apt install -y virtualenv unzip python python-pip mkdir angr_ctf; cd angr_ctf virtualenv env; source env/bin/activate pip install requests bs4 wget http://thefengs.com/wuchang/courses/cs492/meta_dl.py python meta_dl.py malware.oregonctf.org <username> <password> unzip angr.zip chmod -R ugo+rwX .
Download and run the custom
angr container (located on Docker Hub as
~/angr_ctf) within the container at (
/home/angr/angr_ctf), sets the working directory to it, disables address-space randomization, and sets user to angr.
docker run -di -w /home/angr/angr_ctf --security-opt seccomp=unconfined --user angr -v ~/angr_ctf:/home/angr/angr_ctf wuchangfeng/angr
Examine the running container and the container's image
stupefied_wiles). For example:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6aa4ff2c9ebe wuchangfeng/angr "/bin/bash" 6 minutes ago Up 2 seconds stupefied_wiles
REPOSITORY TAG IMAGE ID CREATED SIZE wuchangfeng/angr latest a94482ca9403 4 days ago 2.44GB
Stop the container via its name. Note that docker supports command completion that will automatically fill in the name of the container. For a container called "
stupefied_wiles", the command is
docker stop stupefied_wiles
See that it is no longer running via "
docker ps" with the "
-a" flag to list stopped containers
docker ps -a
docker rm stupefied_wiles". Note that while this removes the container, it does not remove the local container image it was derived from (i.e.
docker rmi wuchangfeng/angr" after stopping the container
Start the container again via its name, the command is
docker start stupefied_wiles
Now, execute an interactive shell on the container
docker exec -it stupefied_wiles /bin/bash
Within the shell running in the container, it may be handy to have multiple sessions. This can be done via
tmux. Click here for a tutorial.
Change directories into directory mounted from the host
For each level, copy the
scaffoldXX.py file into
for i in scaffold* do cp $i $(echo $i | sed 's/scaffold/solve/') done
For each CTF level, you will edit
solveXX.py with your solution for the level
XX_angr_.... For example, to solve the first level, you would run:
which might result in the following output:
(angr) angr@b58f1223ddf1:~/angr_ctf$ python solve00.py JSFCFQFH (angr) angr@b58f1223ddf1:~/angr_ctf$ ./00_angr_find Enter the password: JSFCFQFH Good Job. (angr) angr@b58f1223ddf1:~/angr_ctf$
00_angr_find), then fill out answer and "Submit"
When you are done solving levels, exit the container.
docker stop" command.
docker exec" command above.
Celebrate! (Or not). Be sure to stop the VM to save $.