Symbolic execution is an essential tool in modern program analysis and vulnerability discovery. The technique is used to both find and fix vulnerabilities as well as to identify and exploit them. In order to ensure that symbolic execution tools are used more for the former, rather than the latter, you will be tackling a set of scaffolded, polymorphic, ``capture-the-flag'' (CTF) exercises based on the open-source symbolic execution framework angr.
You will deploy a Compute Engine instance, install Docker, and run the course's Docker image that contains the angr framework pre-installed. You will then download your CTF binaries.
sudo apt update sudo apt install -y docker.io sudo usermod -a -G docker $(whoami) newgrp docker
angr CTF binaries located at https://angr.oregonctf.org. Your binaries can be accessed via your
<password> from site
sudo apt install -y virtualenv unzip python python-pip mkdir angr_ctf; cd angr_ctf virtualenv -p python3 env; source env/bin/activate pip install requests bs4 wget http://thefengs.com/wuchang/courses/cs492/meta_dl.py python meta_dl.py angr.oregonctf.org <username> <password> unzip angr.zip chmod -R ugo+rwX .
Download and run the custom
angr container (located on Docker Hub as
~/angr_ctf) within the container at (
/home/angr/angr_ctf), sets the working directory to it, disables address-space randomization, and sets user to angr.
docker run -di \ -w /home/angr/angr_ctf \ --name angr_container \ --rm \ --user angr \ -v ~/angr_ctf:/home/angr/angr_ctf \ wuchangfeng/angr
Examine the running container and the container's image
angr_containerand the command it is running
REPOSITORY TAG IMAGE ID ... wuchangfeng/angr latest a94482ca9403 ...
docker inspect <container_image_name>
Stop the container via its name. Note that docker supports command completion that will automatically fill in the name of the container. For our container named "
angr_container", our command is
docker stop angr_container
We passed the
--rm flag which specifies that the container will be removed upon being stopped. See that the container no longer exists by running "
docker ps" with the "
-a" flag. This flag lists all containers: both running and stopped.
docker ps -a
It is often the case that you want the container to remain around after you stop it. To show how to do this for the
angr container, perform the following steps.
docker runwithout the automatic removal flag (
docker ps -acommand to see that the stopped container still exists.
docker rm angr_container. Note that while this removes the container, the image that created it (
wuchangfeng/angr) still exists on our local machine. If you wanted to, you could then remove the container image stored locally by issuing "
docker rmi wuchangfeng/angr" after stopping the container
docker start <container_name>
Note that this only starts the container, but doesn't give you a session on it.
docker exec -it <container_name> /bin/bash
Within the shell running in the container, it may be handy to have multiple sessions. This can be done via
tmux. Click here for a tutorial.
Change directories into directory mounted from the host
For each level, copy the
scaffoldXX.py file into
for i in scaffold* do cp $i $(echo $i | sed 's/scaffold/solve/') done
For each CTF level, you will edit
solveXX.py with your solution for the level
XX_angr_.... For example, to solve the first level, you would run:
which might result in the following output:
(angr) angr@b58f1223ddf1:~/angr_ctf$ python solve00.py JSFCFQFH (angr) angr@b58f1223ddf1:~/angr_ctf$ ./00_angr_find Enter the password: JSFCFQFH Good Job. (angr) angr@b58f1223ddf1:~/angr_ctf$
00_angr_find), then fill out answer and "Submit"
When you are done solving levels, exit the container.
docker stop" command.
docker exec" command above.
Celebrate! (Or not). Be sure to stop the VM to save $.