I’ll be working through the Phoenix challenges and posting my solution to each level. This initial post will describe how to get setup to follow along. Most of the solutions will be using the amd64 architecture. For some I’ve resorted to using i486, either because it’s impossible to solve on amd64 or because I don’t possess such knowledge. I’m doing this to learn more about binary exploitation, so please let me know if there’s a better way to do something or if you have a solution where I do not.
What is Exploit.education?
“exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues.”
What is Phoenix?
Phoenix introduces basic memory corruption issues such as buffer overflows, format strings and heap exploitation under “old-style” Linux system that does not have any form of modern exploit mitigation systems enabled. It has both 32 bit and 64 bit levels available, for both x86 and ARM systems.”
Installing QEMU
Phoenix is provided as a file system image for QEMU, an emulator that performs hardware virtualization. It’s basically a virtual machine. Some people may not be familiar with it or how to run a QEMU machine, so I’ll go over the setup first on both Linux & Windows systems.
Linux
If you’re using Linux as your host machine, you can follow the install instructions for your particular distro on their website: https://www.qemu.org/download/
Windows
From the same site, you can follow the “x64” link to download a Windows installation binary: https://qemu.weilnetz.de/w64/
As of this writing, the latest version can be downloaded here: https://qemu.weilnetz.de/w64/qemu-w64-setup-20190218.exe
Just execute the installer and leave the defaults.
Running the Phoenix Image
Next, you’ll need to download Phoenix from https://exploit.education/downloads/. I’ll be using the Qcow2 AMD64 image.
Linux
Extract the downloaded file:
tar xJf exploit-education-phoenix-amd64-v1.0.0-alpha-3.tar.xz
Execute the boot script:
cd exploit-education-phoenix-amd64/ ./boot-exploit-education-phoenix-amd64.sh
Now that the image is running, you can SSH to the machine with “user” as the both the username & password:
ssh -p2222 user@localhost
Windows
You can use WinRAR to extract the downloaded file. Once installed, just right-click on the downloaded Phoenix image file & select “Extract Here.”
The boot script created for Linux won’t work here. Luckily, it doesn’t take much to modify it to work for PowerShell. Create a new file in the exploit-education-phoenix-amd64 folder called boot-exploit-education-phoenix-amd64.ps1 and paste the following contents:
\Program` Files\qemu\qemu-system-x86_64.exe ` -kernel vmlinuz-4.9.0-8-amd64 ` -initrd initrd.img-4.9.0-8-amd64 ` -append "root=/dev/vda1" ` -m 1024M ` -netdev user,id=unet,hostfwd=tcp:127.0.0.1:2222-:22 ` -device virtio-net,netdev=unet ` -drive file=exploit-education-phoenix-amd64.qcow2,if=virtio,format=qcow2,index=0
Edit: Here’s an alternative from a recommendation (see link in comments):
$params = @{ kernel = 'vmlinuz-4.9.0-8-amd64' initrd = 'initrd.img-4.9.0-8-amd64' append = 'root=/dev/vda1' m = '1024M' netdev = 'user,id=unet,hostfwd=tcp:127.0.0.1:2222-:22' device = 'virtio-net,netdev=unet' drive = 'file=exploit-education-phoenix-amd64.qcow2,if=virtio,format=qcow2,index=0' } & '\Program Files\qemu\qemu-system-x86_64.exe' @params
Now you can simply right-click that file and select “Run with PowerShell.” Of course this assumes that you’ve installed QEMU to C:\Program Files\qemu. If not, simply change the path in the PowerShell script. Note that I escaped the space with a backtick (`) character.
With the image running, you can either use the “GUI” window to log in and do your work or, preferably, use an SSH client to log into the machine. The Windows Subsystem for Linux (WSL) will work just fine as an SSH client. You can find installation instructions here: https://docs.microsoft.com/en-us/windows/wsl/install-win10. To log in via SSH:
ssh -p2222 user@localhost
Or, if you’re old fashioned, you can just use Putty.
Really helpful, many thanks.