├── .gitignore ├── Vagrantfile ├── README.md ├── setup_qemu_arm.sh └── provision.sh /.gitignore: -------------------------------------------------------------------------------- 1 | docker/host-share/decompile-api 2 | shared 3 | .vagrant 4 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | Vagrant.configure("2") do |config| 5 | config.vm.box = "ubuntu/bionic64" 6 | config.vm.provision :shell, :path => "provision.sh", :privileged => false 7 | config.ssh.forward_agent = true 8 | 9 | # Optionally mount a folder containing the CTF problems 10 | ctf_path = ENV['CTF_PATH'] 11 | if ctf_path 12 | config.vm.synced_folder ctf_path, "/home/vagrant/ctf" 13 | end 14 | 15 | config.vm.provider "virtualbox" do |vb| 16 | vb.memory = 4096 17 | vb.cpus = 4 18 | end 19 | end 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF VM 2 | 3 | An Ubuntu 18.04 x64 VM for binary exploitation and reversing CTF problems. For a 16.04/14.04 VM, checkout the `ubuntu16.04` and `ubuntu14.04` branches. For a Windows 7 CTF VM, see https://github.com/gsingh93/ctf-vm-windows7. 4 | 5 | ## Installation 6 | 7 | ``` 8 | git clone git@github.com:gsingh93/ctf-vm.git 9 | cd ctf-vm 10 | vagrant up 11 | ``` 12 | 13 | ## Packages 14 | 15 | Included packages 16 | 17 | - pwndbg 18 | - peda 19 | - pwntools 20 | - Pin 21 | - AFL (currently disabled on 18.04) 22 | - ROPgadget 23 | - rp++ 24 | - xrop 25 | - one_gadget 26 | - QEMU with ARM support 27 | - angr 28 | - frida 29 | -------------------------------------------------------------------------------- /setup_qemu_arm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | URL=https://download.qemu.org/ 4 | 5 | latest_qemu=$(curl --silent $URL | grep -oP "\bqemu-[0-9.]+\.tar\.bz2\b" | sort -V | uniq | tail -n1) 6 | 7 | basename=$(basename $latest_qemu .tar.bz2) 8 | if [[ ! -d $basename ]]; then 9 | echo "[+] Downloading latest QEMU: $latest_qemu" 10 | wget -q $URL/$latest_qemu 11 | echo 12 | 13 | echo "[+] Extracting $latest_qemu" 14 | tar -xf $latest_qemu 15 | echo 16 | else 17 | echo "[+] Latest QEMU is already downloaded" 18 | fi 19 | 20 | echo "[+] Installing QEMU dependencies" 21 | sudo apt-get -y install g++ automake libpixman-1-dev libglib2.0-dev 22 | echo 23 | 24 | echo "[+] Building QEMU" 25 | cd $basename 26 | ./configure --target-list=arm-linux-user 27 | make -j 28 | sudo make install 29 | echo 30 | 31 | echo "[+] Installing ARM libraries" 32 | sudo apt-get -y install libc6-armhf-cross 33 | sudo mkdir /usr/gnemul 34 | sudo ln -s /usr/arm-linux-gnueabihf /usr/gnemul/qemu-arm 35 | echo 36 | 37 | echo "[+] Installing ARM toolchain" 38 | sudo apt-get -y install gcc-arm-linux-gnueabihf 39 | sudo apt-get -y install gdb-multiarch 40 | echo 41 | 42 | echo "[+] Done" 43 | -------------------------------------------------------------------------------- /provision.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Bash strict mode 4 | set -euo pipefail 5 | 6 | # Verbose 7 | #set -x 8 | 9 | HOMEDIR=~ 10 | 11 | log() { 12 | echo -e "\033[32m[+] $1\033[0m" 13 | } 14 | 15 | package() { 16 | sudo apt-get -y install "$@" 17 | } 18 | 19 | git_clone() { 20 | # Clone git repo into directory, clearing directory if it exists 21 | # Usage: git_clone URL DIR [GIT_CLONE OPTIONS...] 22 | 23 | local url="$1" 24 | shift 25 | local dir="$1" 26 | shift 27 | 28 | sudo rm -rf "$dir" 29 | git clone "$@" "$url" "$dir" 30 | } 31 | 32 | install_() { 33 | toolname=$1 34 | shift 35 | 36 | cd $HOMEDIR/tools 37 | log "Installing $toolname" 38 | eval install_$toolname "$@" 39 | log "Installation for $toolname complete" 40 | cd $HOMEDIR/tools 41 | } 42 | 43 | install_rp() { 44 | wget -q https://github.com/downloads/0vercl0k/rp/rp-lin-x64 45 | sudo install -s rp-lin-x64 /usr/bin/rp++ 46 | rm rp-lin-x64 47 | } 48 | 49 | install_pwntools() { 50 | package python2.7 python2.7-dev python-pip libssl-dev libffi-dev 51 | sudo -H pip install --upgrade pwntools 52 | } 53 | 54 | install_pwndbg() { 55 | # We echo this here because otherwise `setup.sh` will echo the wrong 56 | # path 57 | if ! grep pwndbg ~/.gdbinit &>/dev/null; then 58 | echo "source $HOMEDIR/tools/pwndbg/gdbinit.py" >> ~/.gdbinit 59 | fi 60 | git_clone https://github.com/pwndbg/pwndbg.git pwndbg 61 | cd pwndbg 62 | ./setup.sh 63 | } 64 | 65 | install_peda() { 66 | git_clone https://github.com/longld/peda.git peda 67 | if ! grep peda ~/.gdbinit &>/dev/null; then 68 | echo "# source $HOMEDIR/tools/peda/peda.py" >> ~/.gdbinit 69 | fi 70 | } 71 | 72 | install_pin() { 73 | name=pin-2.14-71313-gcc.4.4.7-linux 74 | wget -q http://software.intel.com/sites/landingpage/pintool/downloads/$name.tar.gz 75 | tar -xf $name.tar.gz 76 | rm $name.tar.gz 77 | mv $name pin 78 | } 79 | 80 | install_angr() { 81 | package python-dev libffi-dev build-essential virtualenvwrapper 82 | sudo -H pip install angr --upgrade 83 | } 84 | 85 | install_afl() { 86 | package clang llvm libtool-bin autoconf bison flex 87 | wget -q http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz 88 | tar -xf afl-latest.tgz 89 | rm afl-latest.tgz 90 | ( 91 | cd afl-* 92 | make -j$(nproc) 93 | ( 94 | cd qemu_mode 95 | ./build_qemu_support.sh 96 | ) 97 | sudo make install 98 | ) 99 | } 100 | 101 | install_ropgadget() { 102 | git_clone https://github.com/JonathanSalwan/ROPgadget ROPgadget 103 | cd ROPgadget 104 | sudo python setup.py install 105 | } 106 | 107 | install_xrop() { 108 | package texinfo 109 | git_clone https://github.com/acama/xrop.git xrop --depth 1 110 | cd xrop 111 | git submodule update --init --recursive 112 | 113 | # xrop does not support parallel build 114 | make 115 | sudo make install 116 | } 117 | 118 | install_one_gadget() { 119 | package ruby 120 | sudo gem install one_gadget 121 | } 122 | 123 | install_qemu() { 124 | /vagrant/setup_qemu_arm.sh 125 | } 126 | 127 | install_frida() { 128 | sudo -H pip install frida-tools frida --upgrade 129 | } 130 | 131 | init() { 132 | # Add 32-bit arch to dpkg 133 | sudo dpkg --add-architecture i386 134 | 135 | # Updates 136 | sudo apt-get -y update 137 | sudo apt-get -y upgrade 138 | 139 | # Install packages 140 | package \ 141 | build-essential \ 142 | emacs vim \ 143 | git \ 144 | python-pip python3-pip \ 145 | python2.7 python2.7-dev libssl-dev libffi-dev \ 146 | tmux \ 147 | gdb gdb-multiarch \ 148 | unzip \ 149 | foremost \ 150 | ipython ipython3 151 | 152 | # Install 32 bit libs 153 | package \ 154 | libc6:i386 libncurses5:i386 libstdc++6:i386 \ 155 | libc6-dbg libc6-dbg:i386 \ 156 | libc6-dev-i386 157 | 158 | # Install glibc source 159 | package glibc-source 160 | cd /usr/src/glibc 161 | sudo tar -xf *.xz 162 | 163 | # Fix warning when loading .gdbinit files 164 | echo 'set auto-load safe-path /' > ~/.gdbinit 165 | 166 | # Add each glibc source dir to the GDB search path 167 | for p in $(find /usr/src/glibc/glibc* -type d); do 168 | echo "dir $p" >> ~/.gdbinit 169 | done 170 | 171 | # Enable ptracing 172 | sudo sed -i 's/kernel.yama.ptrace_scope = 1/kernel.yama.ptrace_scope = 0/g' /etc/sysctl.d/10-ptrace.conf 173 | sudo sysctl --system 174 | 175 | # Fix urllib3 InsecurePlatformWarning 176 | sudo -H pip install --upgrade urllib3[secure] 177 | } 178 | 179 | # Only install if script is being executed, not sourced 180 | if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then 181 | set -e 182 | 183 | init 184 | 185 | cd $HOMEDIR 186 | mkdir -p tools 187 | 188 | install_ pwndbg 189 | install_ peda 190 | install_ pwntools 191 | install_ pin 192 | #install_ afl 193 | 194 | # Multiple ROP gadget finders 195 | install_ ropgadget 196 | install_ rp 197 | install_ xrop 198 | 199 | install_ one_gadget 200 | 201 | install_ qemu 202 | install_ angr 203 | install_ frida 204 | fi 205 | --------------------------------------------------------------------------------