├── README.md
├── Vagrantfile
└── et_setup.sh


/README.md:
--------------------------------------------------------------------------------
  1 | # EpicTreasure - Batteries included CTF Vagrant box
  2 | 
  3 | ## Tools included
  4 | * [Binjitsu](https://github.com/binjitsu/binjitsu)
  5 | * [Pwndbg](https://github.com/zachriggle/pwndbg)
  6 | * [Radare2](https://github.com/radare/radare2)
  7 | * [Firmware tools (fmk / qemu)](http://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-mips-elf-with-qemu-toolchain)
  8 | * [angr](https://github.com/angr/angr)
  9 | * [ROPGadget](https://github.com/JonathanSalwan/ROPgadget)
 10 | 
 11 | ## Install VirtualBox
 12 | Check [Virtualbox](https://www.virtualbox.org/wiki/Downloads) for information on installing Virtualbox on your respective operating system.
 13 | 
 14 | ## Install Vagrant
 15 | Check [VagrantUp](https://www.vagrantup.com/downloads.html) for information on installing vagrant.
 16 | 
 17 | ## Fire up the VM
 18 | ```
 19 | git clone https://github.com/ctfhacker/epictreasure
 20 | cd epictreasure
 21 | vagrant up
 22 | ... Go grab a coffee while we install all the things
 23 | vagrant ssh
 24 | ```
 25 | 
 26 | ## Default settings
 27 | By default, [my dotfiles](http://github.com/ctfhacker/dotfiles) are installed onto the VM. Simply comment out the following lines in et_setup.sh if you don't want my settings.
 28 | 
 29 | ```
 30 | # Personal config
 31 | sudo sudo apt-get -y install stow
 32 | cd /home/vagrant
 33 | rm .bashrc
 34 | git clone https://github.com/thebarbershopper/dotfiles
 35 | cd dotfiles
 36 | ./install.sh
 37 | ```
 38 | 
 39 | #### Terminal
 40 | * Colorscheme for the terminal and vim is [solarized](https://github.com/altercation/solarized)
 41 | 
 42 | #### Vim
 43 | * `jk` or `jj` to `ESC` out of Vim 
 44 | * `ESC` and `Arrow keys` are hard coded to not work in Vim (as a teaching mechanism)
 45 | * `:` is remapped to `;` (who uses ; anyway?)
 46 | * leader key is `SPACE` (thanks to [spacemacs](https://github.com/syl20bnr/spacemacs))
 47 | * `SPACE p` will drop an embedded IPython line in a python script
 48 | * `H` moves to beginning of line, `L` moves to end of line (instead of `^` and `$`)
 49 | 
 50 | #### Tmux
 51 | * A new shell spawns a fresh `tmux` session
 52 | * `tmux` leader switched to `Ctrl+A`
 53 | * `Ctrl+A -` produces a horizontal pane. `Ctrl+A \` produces a vertical pane.
 54 | * `Ctrl+A [hjkl]` moves around available panes as vim motion
 55 | 
 56 | ## Check correct installation
 57 | 
 58 | ### Pwndbg
 59 | 
 60 | Run the following command in the VM:
 61 | ```
 62 | gdb /bin/ls
 63 | ```
 64 | 
 65 | Expected output:
 66 | ```
 67 | Loaded 53 commands.  Type pwndbg for a list.
 68 | Reading symbols from host-share/crackme...(no debugging symbols found)...done.
 69 | Only available when running
 70 | pwn>
 71 | ```
 72 | 
 73 | ### Radare
 74 | 
 75 | Run the following command in the VM:
 76 | ```
 77 | r2 /bin/ls
 78 | ```
 79 | 
 80 | Expected output:
 81 | ```
 82 | [0x00404890]> aaa
 83 | ```
 84 | 
 85 | ### Binjitsu
 86 | 
 87 | Run the following command in the VM:
 88 | ```
 89 | python
 90 | >>> from pwn import *
 91 | >>> elf = ELF('/bin/ls')
 92 | [*] '/bin/ls'
 93 |     Arch:     amd64-64-little
 94 |     RELRO:    Partial RELRO
 95 |     Stack:    Canary found
 96 |     NX:       NX enabled
 97 |     PIE:      No PIE
 98 |     FORTIFY:  Enabled
 99 | >>> rop = ROP(elf)
100 | [*] Loading gadgets for '/bin/ls'
101 | ```
102 | 
103 | ### angr
104 | 
105 | Run the following commands in the VM:
106 | ```
107 | python
108 | >>> import angr
109 | >>>
110 | ```
111 | 
112 | ### Shared folder
113 | 
114 | Drop files in the `host-share` folder on your host to find them on your VM at `/home/vagrant/host-share`
115 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | Vagrant.configure("2") do |config|
 5 |   config.vm.box = "trusty64"
 6 |   config.vm.box_url = "http://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box"
 7 |   config.vm.provision :shell, :path => "et_setup.sh", :privileged => false
 8 |   config.ssh.username = 'vagrant'
 9 |   config.ssh.forward_agent = true
10 | 
11 |   config.vm.synced_folder "host-share", "/home/vagrant/host-share"
12 | 
13 |   config.vm.provider "virtualbox" do |vb|
14 |     vb.customize ["modifyvm", :id, "--memory", "4096"]
15 |   end
16 | end
17 | 


--------------------------------------------------------------------------------
/et_setup.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Updates
  4 | sudo apt-get -y update
  5 | sudo apt-get -y upgrade
  6 | 
  7 | sudo apt-get -y install python3-pip
  8 | sudo apt-get -y install tmux
  9 | sudo apt-get -y install gdb gdb-multiarch
 10 | sudo apt-get -y install unzip
 11 | sudo apt-get -y install foremost
 12 | sudo apt-get -y install ipython
 13 | 
 14 | # QEMU with MIPS/ARM - http://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-mips-elf-with-qemu-toolchain
 15 | sudo apt-get -y install qemu qemu-user qemu-user-static
 16 | sudo apt-get -y install 'binfmt*'
 17 | sudo apt-get -y install libc6-armhf-armel-cross
 18 | sudo apt-get -y install debian-keyring
 19 | sudo apt-get -y install debian-archive-keyring
 20 | sudo apt-get -y install emdebian-archive-keyring
 21 | tee /etc/apt/sources.list.d/emdebian.list << EOF
 22 | deb http://mirrors.mit.edu/debian squeeze main
 23 | deb http://www.emdebian.org/debian squeeze main
 24 | EOF
 25 | sudo apt-get -y install libc6-mipsel-cross
 26 | sudo apt-get -y install libc6-arm-cross
 27 | mkdir /etc/qemu-binfmt
 28 | ln -s /usr/mipsel-linux-gnu /etc/qemu-binfmt/mipsel 
 29 | ln -s /usr/arm-linux-gnueabihf /etc/qemu-binfmt/arm
 30 | rm /etc/apt/sources.list.d/emdebian.list
 31 | sudo apt-get update
 32 | 
 33 | # Install Binjitsu
 34 | sudo apt-get -y install python2.7 python-pip python-dev git
 35 | sudo pip install --upgrade git+https://github.com/binjitsu/binjitsu.git
 36 | 
 37 | cd
 38 | mkdir tools
 39 | cd tools
 40 | 
 41 | # Install pwndbg
 42 | git clone https://github.com/zachriggle/pwndbg
 43 | echo source `pwd`/pwndbg/gdbinit.py >> ~/.gdbinit
 44 | 
 45 | # Capstone for pwndbg
 46 | git clone https://github.com/aquynh/capstone
 47 | cd capstone
 48 | git checkout -t origin/next
 49 | sudo ./make.sh install
 50 | cd bindings/python
 51 | sudo python3 setup.py install # Ubuntu 14.04+, GDB uses Python3
 52 | 
 53 | # pycparser for pwndbg
 54 | sudo pip3 install pycparser # Use pip3 for Python3
 55 | 
 56 | # Install radare2
 57 | git clone https://github.com/radare/radare2
 58 | cd radare2
 59 | ./sys/install.sh
 60 | 
 61 | # Install binwalk
 62 | cd 
 63 | git clone https://github.com/devttys0/binwalk
 64 | cd binwalk
 65 | sudo python setup.py install
 66 | sudo apt-get install squashfs-tools
 67 | 
 68 | # Install Firmware-Mod-Kit
 69 | sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic
 70 | cd ~/tools
 71 | wget https://firmware-mod-kit.googlecode.com/files/fmk_099.tar.gz
 72 | tar xvf fmk_099.tar.gz
 73 | rm fmk_099.tar.gz
 74 | cd fmk_099/src
 75 | ./configure
 76 | make
 77 | 
 78 | # Uninstall capstone
 79 | sudo pip2 uninstall capstone -y
 80 | 
 81 | # Install correct capstone
 82 | cd ~/tools/capstone/bindings/python
 83 | sudo python setup.py install
 84 | 
 85 | # Personal config
 86 | sudo sudo apt-get -y install stow
 87 | cd /home/vagrant
 88 | rm .bashrc
 89 | git clone https://github.com/thebarbershopper/dotfiles
 90 | 
 91 | # Install Angr
 92 | cd /home/vagrant
 93 | sudo apt-get -y install python-dev libffi-dev build-essential virtualenvwrapper
 94 | sudo pip install angr --upgrade
 95 | 
 96 | # Install american-fuzzy-lop
 97 | sudo apt-get -y install clang llvm
 98 | cd ~/tools
 99 | wget --quiet http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
100 | tar -xzvf afl-latest.tgz
101 | rm afl-latest.tgz
102 | (
103 |   cd afl-*
104 |   make
105 |   # build clang-fast
106 |   (
107 |     cd llvm_mode
108 |     make
109 |   )
110 |   sudo make install
111 | )
112 | 
113 | # Install 32 bit libs
114 | sudo dpkg --add-architecture i386
115 | sudo apt-get update
116 | sudo apt-get -y install libc6:i386 libncurses5:i386 libstdc++6:i386
117 | sudo apt-get -y install libc6-dev-i386
118 | 
119 | # Install apktool - from https://github.com/zardus/ctf-tools
120 | apt-get update
121 | apt-get install -y default-jre
122 | wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
123 | wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.0.2.jar
124 | mv apktool_2.0.2.jar /bin/apktool.jar
125 | mv apktool /bin/
126 | chmod 755 /bin/apktool
127 | chmod 755 /bin/apktool.jar
128 | 
129 | # Install preeny
130 | git clone --depth 1 https://github.com/zardus/preeny
131 | PATH=$PWD/../crosstool/bin:$PATH
132 | 
133 | cd preeny
134 | for i in ../../crosstool/bin/*-gcc
135 | do
136 |     t=$(basename $i)
137 |     CC=$t make -j $(nproc) -i
138 | done
139 | PLATFORM=-m32 setarch i686 make -i
140 | mv x86_64-linux-gnu i686-linux-gnu
141 | make -i
142 | 
143 | # Install Pillow
144 | sudo apt-get build-dep python-imaging
145 | sudo apt-get install libjpeg8 libjpeg62-dev libfreetype6 libfreetype6-dev
146 | sudo pip install Pillow
147 | 
148 | # Install r2pipe
149 | sudo pip install r2pipe
150 | 
151 | # Install angr-dev
152 | cd ~/tools
153 | git clone https://github.com/angr/angr-dev
154 | cd angr-dev
155 | 
156 | # Install ROPGadget
157 | git clone https://github.com/JonathanSalwan/ROPgadget
158 | cd ROPgadget
159 | sudo python setup.py install
160 | 


--------------------------------------------------------------------------------