Today I have a topic from outside the yellow world.
Since several years I’m interested in IT Security. I do a lot of troubleshooting with so-called hacker tools, but they are really useful in my daily work life! So I started to learn more about this tools. Good resources to learn using Kali Linux, Burpsuite or Metasploit are vulnerable VMs or services like Hack the box. During this challenges and watching the videos of LiveOverflow I played with IDA Free and Radare2 to reverse special prepared binaries. Reading the disassembled code is not that hard, but a challenge.
In a video from Def Con 23 I heard the first time from angr and I like it very much. There is a GUI for it too, but I couldn’t install the dependencies on my Ubuntu machine. In Kali Linux it worked perfectly, but not on the local installation.
On Docker Hub you can download a ready installed container with the latest angr-management. This container uses your local X Server, so you need to use some parameters for the start and you can map a local path into the container that you can access the binaries:
docker run --name angr-mgmt -e QT_X11_NO_MITSHM=1 -e DISPLAY=$DISPLAY -v $PWD:/home/angr/pwd -v /tmp/.X11-unix:/tmp/.X11-unix angr/angr-management
So what does this all mean?
--name angr-mgmt: I give the container a name, so I can start it again with
docker start angr-mgmt
-e QT\_X11\_NO_MITSHM=1: Without that I got security errors during the X Server access, but in that thread I got the information that it’s faster to use
-e DISPLAY=$DISPLAY: Add environment variable $DISPLAY
-v $PWD:/home/angr/pwd: map the path you’re now to the container path
-v /tmp/.X11-unix:/tmp/.X11-unix: map the local path to the container path to access X
angr-management: name of the docker image
Final container command
docker run --name angr-mgmt --ipc host -e DISPLAY=$DISPLAY -v $PWD:/home/angr/pwd -v /tmp/.X11-unix:/tmp/.X11-unix angr/angr-management
Testing the software
As a first test I opened a example binary from the angr documentation named
crackme0x00a. That’s a very easy binary (used in lots of tutorials), because the used string can be found as a string in the disassembled code, but I think you get a picture of angr:
Today I tried some more things from the documentation and behind some links, I found: https://github.com/angr/angr-management/blob/master/run-docker.sh, so the Docker start can be done with the shell script on Github. There is a second one for Mac OS X too.