Symbolic execution is an essential tool in modern program analysis and vulnerability discovery. The technique is used to both find and fix vulnerabilities as well as to identify and exploit them. In order to ensure that symbolic execution tools are used more for the former, rather than the latter, you will be tackling a set of scaffolded, polymorphic, ``capture-the-flag'' (CTF) exercises based on the open-source symbolic execution framework angr.

What you will build

You will deploy a Compute Engine instance, install Docker, and run the course's Docker image that contains the angr framework pre-installed. You will then download your CTF binaries.

What you'll learn

What you'll need

Install Ubuntu 18.04 VM

Install Docker on the VM

sudo apt update
sudo apt install -y
sudo usermod -a -G docker $(whoami)
newgrp docker


angr CTF binaries located at Your binaries can be accessed via your <username> and <password> from site

sudo apt install -y virtualenv unzip python python-pip
mkdir angr_ctf; cd angr_ctf
virtualenv -p python3 env; source env/bin/activate
pip install requests bs4
python <username> <password>
chmod -R ugo+rwX .

Download and run the custom angr container (located on Docker Hub as wuchangfeng/angr)

docker run -di \
  -w /home/angr/angr_ctf \
  --name angr_container \
  --rm \
  --user angr \
  -v ~/angr_ctf:/home/angr/angr_ctf \

Examine the running container and the container's image

docker ps
docker images
REPOSITORY          TAG                 IMAGE ID            ...
wuchangfeng/angr    latest              a94482ca9403        ...
docker inspect <container_image_name>

Stop the container via its name. Note that docker supports command completion that will automatically fill in the name of the container. For our container named "angr_container", our command is

docker stop angr_container

We passed the --rm flag which specifies that the container will be removed upon being stopped. See that the container no longer exists by running "docker ps" with the "-a" flag. This flag lists all containers: both running and stopped.

docker ps -a

It is often the case that you want the container to remain around after you stop it. To show how to do this for the angr container, perform the following steps.

docker start <container_name>

Note that this only starts the container, but doesn't give you a session on it.

docker exec -it <container_name> /bin/bash

Within the shell running in the container, it may be handy to have multiple sessions. This can be done via tmux. Click here for a tutorial.

Change directories into directory mounted from the host

cd ~/angr_ctf

For each level, copy the file into

for i in scaffold*
  cp $i $(echo $i | sed 's/scaffold/solve/')

For each CTF level, you will edit with your solution for the level XX_angr_.... For example, to solve the first level, you would run:


which might result in the following output:

(angr) angr@b58f1223ddf1:~/angr_ctf$ python
(angr) angr@b58f1223ddf1:~/angr_ctf$ ./00_angr_find
Enter the password: JSFCFQFH
Good Job.
(angr) angr@b58f1223ddf1:~/angr_ctf$

When you are done solving levels, exit the container.

Celebrate! (Or not). Be sure to stop the VM to save $.