Category: Labs

Home / Category: Labs

DracOs Environment – My Build Lab

December 24, 2016 | Labs | No Comments

My role on team require me to build specific environment to do development. As you know DracOs is a LFS-based linux distribution, means we build it from ground up. We are not remastering or modify another distro. A pure linux tailored for our need.

My development lab is simple. All the build is done on virtual machine, I choose VirtualBox. Two virtual machines are needed. The first VM is Builder while the second one is Target. The Target is the final product of DracOs which can be boot on (theoretically) any environment. So Target will be a VM for running tests. On development process, Target would be mounted to Builder. Builder will do all the works. Basically Builder will build two things: tools and Target.

In this article I will describe the setting I use to create build environment (version 1). This version has not integrated with much stuffs but works for first phase.

Virtual Machines Specification

Builder

  • Arch Linux template
  • Processors: 4 CPUs
  • RAM 4096 MB (4GB)
  • HDD
    • /dev/sda (20GB) Builder.vdi
      • /dev/sda1 – / (8GB) ext4
      • /dev/sda2 – (2GB) swap
      • /dev/sda3 – /tools (5GB) ext4 for x86_64
      • /dev/sda4 – /tools (5GB) ext4 for i386
    • /dev/sdb  (mounted Target.vdi)

Remaining space are unused

Target

  • Arch Linux template
  • Processors 1 CPUs
  • RAM 1024 MB (1GB)
  • HDD
    • /dev/sda (24GB GPT) Target.vdi
      • /dev/sda1 – EFI (1GB) for EFI partition
      • /dev/sda2 – swap for linux swap
      • /dev/sda1 – / (10GB) ext4 for 64bit branch
      • /dev/sda2 – / (10GB) ext4 for 32bit branch

As you see, Target will be mounted to Builder.

I choose Arch Linux because I need lightweight distro to do the job.

At this point, my lab is deviate a little from LFS build environment. The LFS guide recommended to make a partition for LFS with tools as a part of LFS partition. In my lab, I separate both tools and sources in Builder machine and bind them to Target if necessary. This way I won’t need to remove things.

Setup Target

The setup we do is to create proper partition. I know we could do this on Builder, but I decide to separate the two things so we can clearly see each roles and functions.

Boot ArchLinux ISO. Once we are prompted, run fdisk to partition.

target# fdisk /dev/sda

My final partition layout would be like this

target# fdisk -l /dev/sda
Disk /dev/sdb: 24 GiB, 25769803776 bytes, 50331648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 84916FEB-BDFF-4860-A9C8-C4C2D351E9B9

Device        Start      End  Sectors Size Type
/dev/sda1      2048  2099199  2097152   1G EFI System
/dev/sda2   2099200  8390655  6291456   3G Linux swap
/dev/sda3   8390656 29362175 20971520  10G Linux filesystem
/dev/sda4  29362176 50331614 20969439  10G Linux filesystem

Then we format each partition.

target# mkfs.ext4 /dev/sda3
target# mkfs.ext4 /dev/sda4

Shutdown

target# shutdown -h -P now

Setup Builder

I will divide the process into three sections: prepare, install, builder. Each phase has it’s own purpose and identified by the name before the prompt.

I don’t create user other than lfs. This user is comply with LFS guide and would be the only user in system (other than root).

Actually, this is not much different to typical Arch Linux installation.

Prepare Phase

Prepare environment before doing installation.

US keymap is OK for me so nothing to change.

Make sure network is up and we can ping to internet.

prepare# ping archlinux.org

Update the system clock. Synchronize with NTP to ensure system clock is accurate.

prepare# timedatectl set-ntp true
prepare# timedatectl status

Part the dist, make following partitions

target# fdisk -l /dev/sda
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xaec171fe

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1           2048 16779263 16777216   8G 83 Linux
/dev/sda2       16779264 20973567  4194304   2G 82 Linux swap / Solaris
/dev/sda3       20973568 31459327 10485760   5G 83 Linux
/dev/sda4       31459328 41943039 10483712   5G 83 Linux

and format them

prepare# mkfs.ext4 /dev/sda1
prepare# mkfs.ext4 /dev/sda3
prepare# mkfs.ext4 /dev/sda4
prepare# mkswap /dev/sda2
prepare# swapon /dev/sda2

mount the file systems.

prepare# mount /dev/sda1 /mnt
prepare# mkdir /mnt/tools
prepare# mkdir /mnt/sources
prepare# mkdir /mnt/scripts

Install Phase

Select mirrors. All packages downloaded from mirrors so we need to make sure selecting correcting server. Nearby servers are preferred. Open /etc/pacman.d/mirrorlist and start rearranging.

Strap minimum installation

install# pacstrap /mnt base

generate fstab with current condition

install# genfstab -U /mnt >> /mnt/etc/fstab

then chroot

install# arch-chroot /mnt

Set the timezone. Here we also generate /etc/localtime.

install(chroot)# ln -s /usr/share/zoneinfo/Asia/Jakarta /etc/localtime

Uncomment en-US.UTF-8 UTF-8 and other needed localization in /etc/locale.gen. Then generate them with.

install(chroot)# locale-gen

Change hostname and hosts.

install(chroot)# echo "Builder" > /etc/hostname
install(chroot)# echo "127.0.0.1    builder.localdomain   builder" >> /etc/hosts

creating new initramfs is usually not required. However I jsut want to make sure.

install(chroot)# mkinitcpio -p linux

Change root password.

install(chroot)# passwd

Create new username lfs for development only.

groupadd lfs
useradd -m -g lfs -k /dev/null -s /bin/bash lfs
passwd lfs

Update repository

install(chroot)# pacman -Syy
install(chroot)# pacman -S sudo

Install bootloader. I choose GRUB. (see this)

install(chroot)# pacman -S grub
install(chroot)# grub-install --target=i386-pc /dev/sda
install(chroot)# grub-mkconfig -o /boot/grub/grub.cfg

Enable networking services.

install(chroot)# systemctl enable dhcpcd

Reboot, make sure our base system is installed and ready to use.

install(chroot)# exit
install# reboot

Builder Phase

Install linux header. This is important for building DKMS modules. We also need base-devel for building process so it’s a crucial component.

builder# pacman -S net-tools pkgfile base-devel

Leveraging CLI to do all stuffs is interesting. However I need to produce script and stuffs for development process thus I install GUI. It is not a necessary thing for build machine.

builder# pacman -S xf86-video-vesa   # let test X window system when we don't have Virtualbox guest addition installed yet
builder# pacman -S alsa-utils
builder# pacman -S xorg-server xorg-xinit
builder# pacman -S ttf-dejavu ttf-droid ttf-inconsolata
builder# pacman -S terminus-font
builder# pacman -S xorg-twm xorg-xclock xterm
builder# pacman -S xfce4 xfce4-goodies

Next create virtualbox modules so we can interact with Builder from host system

builder# pacman -S linux-headers
builder# pacman -S virtualbox-guest-utils

builder# nano /etc/modules-load.d/virtualbox.conf
	vboxguest
	vboxsf
	vboxvideo

builder# systemctl enable vboxservice.service

Let’s see the result by starting xfce. Nice desktop and nice mouse logo should be there.

builder# startxfce4

Install and configure some tools

builder# pacman -S git
builder# pacman -S python

In most case I utilize the builder remotely using SSH so I need to install OpenSSH. This way I can use my freely copy-and-paste commands on my SSH client.

builder# pacman -S openssh

Next time, I should use this to connect (with some name registration in my local machine)

client# ssh [email protected]

Docker Lab – Docker, Apache, MySQL, PHP (DAMP)

October 18, 2016 | Labs | No Comments

This lab might be used for my upcoming workshop.

The goal of this lab is to setup “LAMP” environment on top of docker ecosystem. Technically speaking we will use simple containers on single docker host. Although the title is about DAMP (Docker, Apache, MySQL, PHP) in practice we will spawn two containers, which are:

  1. MySQL Container – where data reside.
  2. WordPress Container – where actual wordpress application run

I do hope you have know basic docker before proceeding.

Step

Planning

Our lab is simple wordpress with MySQL backend. Both MySQL and WordPress will use latest version. Nothing special here.

We don’t want to use default password therefore we will override them.

Creating Lab Network

The reason we create new network is for isolation. This is optional, we can use default network provided by docker. But the goal for new lab network is to give every container in lab ability to communicate with each other without affecting other lab (and containers there).

docker network create --driver bridge lab1-damp

This network lab should reside on same Docker host. If we are using swarm, consider using overlay network.

Generate Password

We need two strong password. One for MySQL root password. Another one for WordPress user. This two password will be passed to containers through environment variable. You can generate any string as password and export them in the end.

export ROOT_PASSWORD=<my super secure mysql root password>
export WORDPRESS_PASSWORD=<my super secure wordpress password>

Make sure you replace the password with your own.

Spawn MySQL Container

We will override four configuration. They are exposed as “environment variable” by docker which we can change.

docker run -d --name mysql \
--env MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} \
--env MYSQL_USER=wordpress \
--env MYSQL_PASSWORD=${WORDPRESS_PASSWORD}\
--env MYSQL_DATABASE=wordpress \
--net lab1-damp \
mysql

The configurations that we override is self explaining.

We are detaching the container so the container would run in “background” when we can do something else.

Verify that the container is running

docker ps

Spawn WordPress Container

WordPress is PHP application, that way WP is running on top of web server and PHP interpreter. Technically speaking our container would have Apache HTTPD and PHP installed so we only concern about our WordPress.

docker run -d -p 80:80 --name wordpress \
--env WORDPRESS_DB_HOST=mysql:3306 \
--env WORDPRESS_DB_USER=wordpress \
--env WORDPRESS_DB_PASSWORD=${WORDPRESS_PASSWORD} \
--env WORDPRESS_DB_DATABASE=wordpress \
--net lab1-damp \
wordpress

We expose this container’s port 80 and map it to our port 80. As we know WordPress need MySQL instance so we provide pointer to our container with WORDPRESS_DB_HOST environment.

To verify the container is running, again:

docker ps

we can also try to check it.

docker exec -ti wordpress bash

We are now connected to wordpress instance by tty. Specifically, we are running new process which is bash on container. To exit, give command exit.

Configure

Use browser and go to http://localhost and you would see famous WordPress installation page, something like this. Just do your configuration.

screen-shot-2016-10-19-at-01-01-53

Challenge

  1. Inspect the wordpress container. Can you open the page with its IP address instead of localhost?
  2. Stop mysql, will wordpress run normally? Try starting mysql to confirm it.
  3. Remove mysql and create new mysql container without MYSQL_PASSWORD set. Restart wordpress. Will it successfully run? Try omit other.
  4. Exec bash on wordpress. Can you find the www directory? Try creating a file to confirm it.
  5. Exec bash on mysql. Can you find the data directory?

Register yourself if you have not yet.

Access the challenge at http://ringzer0team.com/challenges/11

Download the subject,  the checksum:

  • f6816b590d2021a16ba8005aa235e6a3 (md5)
  • b8c18db3e4678e09683e3b20e9004d1183c2420b (sha1)

The challenge clearly instruct as to utilize GDB. In this case, I have customize my GDB using init script which can be downloaded from my github.

After downloading the binary, ran ‘file’ then ‘readelf’ to get some initial information about the file.

# file 88eb31060c4abd0931878bf7d2dd8c1a
88eb31060c4abd0931878bf7d2dd8c1a: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=a5f44b829c4727ed369f823f19d575087673f34e, not stripped

# readelf -h 88eb31060c4abd0931878bf7d2dd8c1a
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048380
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4508 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         9
  Size of section headers:           40 (bytes)
  Number of section headers:         30
  Section header string table index: 27

We know the entrypoint which is 0x8048380 and certain that the file is ELF32.

Load the binary to GDB, we use Intel syntax instead of AT&T syntax and break to entrypoint. We then run the binary so we can reach our breakpoint.

# gdb 88eb31060c4abd0931878bf7d2dd8c1a
gdb$ set disassembly-flavor intel
gdb$ break *0x8048380
gdb$ run

If you are using my .gdbinit script you can see the all the registers. If not, see the disassembly of $eip and let’s analyze the code.

gdb$ disassemble $eip

See the code and learn that there are interesting parts.

...
   0x080484ae <+66>:	mov    DWORD PTR [eax],0x47414c46
   0x080484b4 <+72>:	mov    DWORD PTR [eax+0x4],0x3930342d
   0x080484bb <+79>:	mov    WORD PTR [eax+0x8],0x32
...
   0x080484e9 <+125>:	mov    DWORD PTR [eax],0x75393438
   0x080484ef <+131>:	mov    DWORD PTR [eax+0x4],0x6a326f69
   0x080484f6 <+138>:	mov    WORD PTR [eax+0x8],0x66
...
   0x08048530 <+196>:	mov    DWORD PTR [eax],0x6a736c6b
   0x08048536 <+202>:	mov    DWORD PTR [eax+0x4],0x6c6b34

All of them are pushing the code into some region of memory pointed by eax. It’s ASCII, if you know. Let’s search it in our ASCII table.

0x47414c46   ==> GALF
0x3930342d   ==> 904-
0x32         ==> 2
...
0x75393438   ==> u948
0x6a326f69   ==> j2oi
0x66         ==> f
...
0x6a736c6b   ==> jslk
0x6c6b34     ==> lk4

Well, it doesn’t make sense, unless you remember they are pushed in reverse order for each word. So, the flag would be

FLAG-4092849uio2jfklsj4kl

Submit the flag!

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 20 above.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 20

ssh [email protected]

pass:

There exist an executable file “suconnect”. It makes a connection to localhost on the port we specify as commandline argument. It then reads a line of text from the connection and compares it to the password in the current level. If the password is correct, it will transmit the password for level 21.

All we need to do is run nc listening on a random port, then connect to it with suconnect. Then we send the password throuch the nc session and suconnect sends back the new password.

$ nc -l 13510 < /etc/bandit_pass/bandit20 &
$ ./suconnect 13510

Level 21

ssh [email protected]

pass:

There is a cron job that we need to look at. In /etc/cron.d there exist some cron files, but our objective is cronjob_bandit22 which look promising. Investigate it to see what this script do.

The script will execute a script on /usr/bin/cronjob_bandit22.sh which will dump /etc/bandit_pass/bandit22 to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

$ cat /etc/cron.d/cronjob_bandit22
$ cat /usr/bin/cronjob_bandit22.sh
$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22

ssh [email protected]

pass:

Another cronjob. This time, the script used by cronjob is copying /etc/bandit_pass/bandit23 as something in /tmp. There’s no need for you to figure out the filename, we can always recreate the condition.

$ cat /etc/cron.d/cronjob_bandit23
$ cat /usr/bin/cronjob_bandit23.sh
$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)

Level 23

ssh [email protected]

pass:

Another cronjob.

In this level, we need to create our own shell script to run. The cronjob script will execute (and later delete) scripts on /var/spool/bandit24. That way, we can create a script on that directory which dump password from /etc/bandit_pass/bandit24 to anywhere we desire. We just need to make sure the script is executable.

The script we create:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24xathpass
chmod 777 /tmp/bandit23xathpass

Then we do:

cat /tmp/bandit24xathpass

Level 24

ssh [email protected]

pass:

Another tedious level.

There exist a service running on port 30002. It asks two words: password for bandit25 and secret number 4-digit pincode. Those two words are separate by a space. Our only option is bruteforcing all 10000 combinations.

This is one line command but arranged in multiline for clarity.

pass=$(cat /etc/bandit_pass/bandit24)
for i in {0000..9999}; do {
   if 
      echo "$pass $i" | nc localhost 30002 | grep Wrong > /dev/null;
   then 
      echo $i;
   else 
      echo "$pass $i" | nc localhost 30002 && exit;
   fi 
}
done

Level 25

ssh [email protected]

pass:

Logging in to bandit26 from bandit25 should be easy. But when we try to login something strange happen. It’s because the shell is not /bin/bash. Let’s see what it is.

$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

It’s /usr/bin/showtext,  what’s the content?

$ cat /usr/bin/showtext
#!/bin/sh

more ~/text.txt
exit 0

more on text.txt. It turns out we can escape to ‘vim’ by pressing ‘v’. Once in vim, invoke this.

:r /etc/bandit_pass/bandit26

Level 26

ssh [email protected]

pass:

Not Available Yet.

Level 27

ssh [email protected]

pass:

Not Available Yet.

Level 28

ssh [email protected]

pass:

Not Available Yet.

Level 29

ssh [email protected]

pass:

Not Available Yet.

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 10 to level 19.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 10

ssh [email protected]

pass:

File data.txt is indeed a plaintext. However the password is encoded with base64 inside. Decoding is simple using base64 utility.

base64 -d data.txt

Level 11

ssh [email protected]

pass:

The password is written inside data.txt. This time is is encrypted by ROT13 (or Caesar Cipher). It means every character in the text has been rotated 13 letters. We can use tr utility to reverse it.

cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Level 12

ssh [email protected]

pass:

This problem is not hard, but tedious. The direction gives us information that the data has been compressed several way and we need to decompress it accordingly. However we cannot use home directory, thus we use /tmp dirctory to store temporary file.

mkdir /tmp/secretbase
cp ~/data.txt /tmp/secretbase/data.txt
cd /tmp/secretbase
xxd -r data.txt > data.bin
file data.bin
mv data.bin data.gz
gzip -d data.gz
file data
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
tar -xvf data
file data5.bin
tar -xvf data5.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin
mv data8.bin.out
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
file data8
cat data8

Level 13

ssh [email protected]

pass:

It is quite simple. When we login to account bandit13, we see a private SSH Key in the home directory. Supply SSH utility with it to login as bandit14. After that, we aim at /etc/bandit_pass directory and search for /etc/bandit_pass/bandit14 to know the password for bandit14 password. Here is how we do that:

ssh [email protected] -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 14

ssh [email protected]

pass:

In this level our objective is to submit our current password to the server on port 30000. A simple command using netcat can be used here.

cat /etc/bandit_pass/bandit14 | nc localhost 30000

Level 15

ssh [email protected]

pass:

Similar to level14, we need to send our current password to port 30001. However, this time we need to use SSL.

cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001

Another solution:

ncat --ssl localhost 30001
# (paste password for level15)

Level 16

ssh [email protected]

pass:

The direction gives us a range of ports, 31000-32000. Our target port is using SSL and will give us the next password if we supply with our current password. First we need to port scan it to detect which port is active. We also use nmap to scan service version if possible.

nmap -p31000-32000 localhost -sV

Here we have several open ports:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-13 23:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00100s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds

However 31046, 31691, and 31960 is out, since those are echo or SSH server. The possible ones are 31518 and 31790, so we will just try both of them.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31518

Port 31518 doesn’t gives anything back so our hope is now 31790.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790

We get a RSA private key, save the key as /tmp/bandit17.privkey then login to bandit17 and get the password.

chmod +x /tmp/bandit17.privkey
ssh [email protected] -i bandit17.privkey
cat /etc/bandit_pass/bandit17

Level 17

ssh [email protected]

pass:

We are given two files: password.old and password.new. The new password is the only line different between two, so we can use diff to find it.

diff password.new password.old

Level 18

ssh [email protected]

pass:

Someone has modified .bashrc to immediately log us out when we are trying to login. We can run commands as we login and then see the password stored in ~/readme.

ssh [email protected] -t 'cat readme'

Level 19

ssh [email protected]

pass:

In this level we are given setuid binary in the home directory. We don’t know yet what to do so we see the usage by run it without arguments. After learning how to run it, we can use it for our purpose.

./bandit20-do cat /etc/bandit_pass/bandit20

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 0 to level 9.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 0

ssh [email protected]

pass: bandit0

The simplest challenge. You only need to login to the system via SSH. Once you are in, get the password for next level by:

cat readme

Level 1

ssh [email protected]

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named ‘-‘. Since the dash is a special character, we need special treatment.

cat ./-

Level 2

ssh [email protected]

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named “spaces in this filename” (without quote). There are spaces in the filename, so we need extra treatment. There are two ways to solve this: write the filename in the quote, use escape character. Pick one.

cat "spaces in this filename"
cat spaces\ in\ this\ filename

Level 3

ssh [email protected]

pass:

There is a folder called inhere. It apperas blank at the first glance. However it’s not the case, there is a hidden file there.

cd inhere
ls -la
cat .hidden

Level 4

ssh [email protected]

pass:

Still, there is a directory called inhere. There we have few files inside. The direction said, password is the only human readable file, so with the file command we can see that the only ASCII text file is “-file07”

cd inhere
file ./*
cat "file07"

Level 5

ssh [email protected]

pass:

A folder with a bunch of folders inside, recursively. The direction told us the file containing password is 1033 bytes and we have to find a file with specific size.

cd inhere
find . -type f -size 1033c
cat ./maybehere07/.file2

Another solution:

cd inhere
ls -Rla . | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep 1033

Level 6

ssh [email protected]

pass:

Nothing on our home directory. The file is located somewhere on the server with the user bandit7 and the group bandit6. It also has 33 byets in size.

find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
cat /var/lib/dpkg/info/bandit7.password

Another solution:

ls -Rla / | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep '33|bandit5'

Level 7

ssh [email protected]

pass:

There is a file called data.txt in our home directory. It is a huge file we need to parse through. The password is located next to word millionth. We can simply use grep to solve this.

grep "millionth" data.txt

Level 8

ssh [email protected]

pass:

Password is found on the only unique line in the file data.txt. We can use sort and uniq to find it.

sort data.txt | uniq -u

Level 9

ssh [email protected]

pass:

Now it’s on binary file. We can’t easily grep through it. However we can use strings then grep through it. The direction said that the password is on one of the only lines beginning with an equal sign.

strings data.txt | grep =

Digital Forensics : Ann’s Aurora

December 11, 2015 | Labs, Writeups | No Comments

Ann’s Aurora is a digital forensic challenge created by SANS Digital Forensics & Incident Response (DIFT). This problem is released as a public challenge for communities. The problem can be considered as network forensic released as per 2011 with not so complicated difficulty. The challenge can be seen on this link.

This article will discuss about solution for Ann’s Aurora case.

All steps performed here has been tested on following environment:

  1. Windows 8.1 64-bit
  2. Linux Slackware 14.1 64-bit
  3. Sans Institute Forensics Toolkit (SIFT) Linux version 3.0

And tools used here is:

  1. Wireshark

Most of screenshot taken here are result of test performed on machine [1], however we have ensure that all steps are applicable to machine [2] and [3].

Incident Description

Ann Dercover want to steal secret recipe from SaucyCorp. She then tailing lead developer Vick Timmes and investigate how to access SaucyCorp server. Ann know Vick login with his laptop computer (IP 10.10.10.70) and do VPN connection to SaucyCorp.

Ann then use 0-day exploit for Internet Explorer and attack with Client-Side Spear Phising Attack to fool Vick Timmes browser.

List of Goals

Basically, this case has following foals:

  1. Know full URI of web request done by Vick Timmes.
  2. Know content of 1300-element wide array labeled as COMMENT which is response from Ann.
  3. Know second HTTP request done by Vick
    • Requested file name
    • MD5 hash value of requested file name
  4. Know time of TCP session establishment on port 4444
  5. Know time of TCP session closed on port 4444
  6. Know type and MD5 hash value of packet 17 from server.
  7. To Analyze Vick’s computer behavior when trying to establish connection to server on port 4445 after disconnected from port 4444.
    • How fast TCP Initial Sequence Number does changed.
    • How fast IP ID does changed.
    • How fast source port does changed.
  8. Know time of connection to port 4445 successfully established.
  9. Know MD5 hash value of data sent on port 4445 by server.
  10. Know time of TCP closed on port 4445.

These goals is summary of questions / goals proposed by the challenge, which can be seen on following link.

Evidences

The only evidence we have is a pcap formatted file “evidence06.pcap”. This file is records of all activities in network at incident time. The evidence can be downloaded freely on this link. To download it, you have to login to member area, which you can register there free.

Analysis

Preliminaries

File evidence06.pcap has MD5 hash: efac05c50c0ae92bf0818e98763920bd

Following screenshot prove it. This value should be similar to value written on challenge page.

uas_1

Know we want to know some general information about it.

  1. How many IP address involved?
  2. How many pair of (source,destination) port involved?

This means to grab raw estimation about scope of analysis.

For first goal, we use tshark which is command line version of wireshark. Our attention go to source and destination address recorded on this file.

Sender addresses can be extracted by:

tshark –r evidence06.pcap –T fields –e ip.src | sort | uniq

Which has following result:

uas_2

It should be clear that there are two unique address as sender address on this file:

  • 10.10.10.10
  • 10.10.10.70 (Vick Timmes)

We guess that 10.10.10.10 is Ann Dercover machine.

Destination addresses can be extracted by:

tshark –r evidence06.pcap –T fields –e ip.dst | sort | uniq

Which has following result:

uas_3

It is clear that the addresses which involved as destination address are:

  • 10.10.10.10 (probably Ann Dercover)
  • 10.10.10.70 (Vick Timmes)
  • 10.10.10.255

Address 10.10.10.10 and 10.10.10.70 exists on both side, we then make a hypothesis that both machine has direct communication each other. While address 10.10.10.255 only appear on destination side. We guess that this address is server of SaucyCorp server which is targeted by Ann Dercover.

Next we want to know pair of port used for data exchange. There are two type of transfer protocols: TCP and UDP.

tshark –r evidence06.pcap –T fields –e tcp.port | sort | uniq

Following is the result:

uas_4

And UDP port pairs:

tshark –r evidence06.pcap –T fields –e tcp.port | sort | uniq

With following result:

uas_5

Note that all pairs are not representing established connection. We know that one connection might use different pair on runtime which is quite common.

Attack Vector used by Ann is Microsoft Internet Explorer “Aurora” Memory Corruption. This exploit is indexed as MS10-002 pada bulletin Microsoft Security (https://technet.microsoft.com/library/security/ms10-002) or CVE-2010-0249 on Common Vulnerabilities and Exposures (http://www.cvedetails.com/cve/2010-0249).

Basically, this exploit attack browser Internet Explorer by the way Internet Explorer handle deleted objects. This exploit first create massive-size temporary garbage data. Next when the data is deleted, exploit will point to that memory location and attack can plan malware there. In this case, the payload used is Trojan Hydraq.

Goal I Solution (Full URI)

Seeing first packet we can get full URI as following:

uas_6

uas_1a

In other words, URI accessed by Vick is: http://10.10.10.10:8080/index.php

First packet is a part of HTTP request to get index page. Response to this request is packet indexed as packet 2 to packet 6 and also packet 8, which are subject to Goal 2.

Goal II Solution (Response String)

Second packet is an ACK message of first HTTP request, while the response text are given as packet 3 to packet 6 and also packet 8. Five of them are pieces of HTML file which is content of index page.

To get all of those fragments, we should track every packet involved. Right click on the first packet and use “Follow TCP Stream”. Make sure we use “Raw” option. The message is plaintext, so we can copy the content directly.

The content of that file can be seen on this link.

To ease analysis, we can do identifier substitution. Identifier substitution can be done without alter the script logic. The modification can be seen on this link.

In this part, we wan to know what the content of 1300 object array are. This can be done by source code analysis which refer to simplified and deobfuscated code.

The code will execute function “func2(event)” when the page is loaded for first time. Function func2() will then create a time which will execute func3 on next 50 milliseconds. This means, func3() will be executed, whatever it is. While func1() only executed once when executing func2(). Based on our knowledge that attack vector used is CVE-2010-0249, we know that func1() is responsible to generate massive-size temporary object which later be deleted.

About 1300 object created on array var2. Data on this array is a unicode-escaped string. The string is:

\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d

Or can be interpreted as following strings:

ఏ఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍

This massive object is used to flood the system and create perfect condition to execute the exploit, see further on (http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit).

Goal III Solution (Second HTTP Request)

Second HTTP request is done to obtain http://10.10.10.70:8080/ index.phpmfKSxSANkeTeNrah.gif

It is a GIF file on iframe which is automatically downloaded by browser. Request to this file is pointed by packet 9. While the response itself is on packet 11.

The requested file is a GIF file which can be seen by the signature in header as following:

uas_8

Right click on “Compuserve GIF, Version: GIF89a” in packet content and choose “Export Selected Packet Bytes”. Save it as GIF.

Our MD5 value calculation give us df3e567d6f16d040326c7a0ea29a4f41.

uas_9

Goal IV Solution ( Opening TCP Session Port 4444 )

To know time of connection establishment, we need to build basic understanding:

  • Destination IP address is 10.10.10.10
  • Destination port is 4444

Thus, we can set rule on Wireshark as following:

ip.dst==10.10.10.10 && tcp.dstport==4444

Knowing TCP three-way handshake, we know that connection is established when TCP handshake finished. It is marked by ACK message from initiator (one who want to connect). In this case, 10.10.10.70 to 10.10.10.10.

Inspection will lead us to packet 13 and 15. Packet 13 is a SYN message to start TCP handshake and packet 15 is ACK acknowledge and finish TCP handshake. Beyond this point, TCP session has been established.

Packet 15 is on 1.3 seconds offset relative to first packet seen on this file. It means the connection is opened on 1.3.

Goal V Solution ( Closing TCP Session Port 4444 )

To know time of connection closed, we need to build basic understanding:

  • Destination IP address is 10.10.10.10
  • Destination port is 4444

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4444) || (ip.dst==10.10.10.70 && tcp.srcport==4444)

Knowing TCP four-way handshake to close connection, we got idea about how TCP connection closed. It is marked by ACK from initiatior. However, we cannot point yet who become initiator, whether 10.10.10.10 or 10.10.10.70 both have possibilities. Therefore we need to look it on two conditions.

Inspection will lead us to pair packet 1563, 1565 and 1562,1564. Packet 1562 and packet 1563 are packet [FIN,ACK] where packet 1562 is sent first from 10.10.10.10 to 10.10.10.70.Therefore we can conclude that the server has initiative to end the connection after it finish transmitting. ACK packet is sent by 10.10.10.10 on packet 1564 to state end of connection.

Packet 1564 is on 87.6 second, which means the connection ended on 87.6

Goal VI Solution( Sent File Type )

Inspected packet is packet 17. We need to check header of the payload and search for some signatures.

uas_7

Here, we see that MZ is a signature for PE32 executable file. We then have confidence after see string “This program cannot be run in DOS mode” which is backward compatibility offered by Microsoft to ensure program is still recognized by older Windows but not for running purpose.

Therefore, the file sent is a Windows executable or PE32.

To do extraction, we need to collect fragments by using “Follow TCP Stream” on packet 17. Click “Save As” to store it, let say as “suspect1.exe”

MD5 checksum can be computed by following: b385b7cf73ba0e75b20e4fdb310717c2

uas_10

Goal VII Solution ( Vick’s Computer Behavior )

For this goal, we need to use following understanding

  • Destination IP address is 10.10.10.10
  • Destination port is 4445

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4445) || (ip.dst==10.10.10.70 && tcp.srcport==4445)

By previous goal (goal VI), we know that connection to port 4444 is closed on packet 1564, 87.6 second. Therefore we focus our attention to packet after 1564, which are 1566 and 1656 (when 10.10.10.10 send RST notification and 10.10.10.70 send SYN back).

1. Initial Sequence Number

Initial Sequence Number is a unique 32-bit embedded to any new connection on TCP-based connection. ISN value expected to be random. Sequence number is the 4th octet on TCP header.

On packet 1566, ISN is 26. Here is the table of first 5 ISN number:

Initial Sequence Number # Packet Entry
26 1557 (6 entries)
27 1568 (6 entries)
28 1574 (6 entries)
29 1580 (6 entries)
30 1586 (6 entries)

 

In this pattern we get conclusion that ISN changing is done for every three packets. This is based on knowledge that the entries are actually pair of request-response.

2. IP ID

IP ID or Internet Protocol Identification is 16-bit number used to identify fragment groups from IP datagram. IP ID is the 4th octet of IP header.

On packet 1566, IP ID is 553. Here is table of first 10 IP ID seen:

IP Identification # Packet Entry
553 1566 ( 2 entries)
554 1568 ( 2 entries)
555 1570 ( 2 entries)
556 1572 ( 2 entries)
557 1574 ( 2 entries)
558 1576 ( 2 entries)
559 1578 ( 2 entries)
560 1580 ( 2 entries)
561 1582 ( 2 entries)
562 1584 ( 2 entries)

 

By this pattern, we can conclude that IP ID is changing for every packet sent. This is based on knowledge that the entries are actually pair of request-response.

Note: IP header in this file is referred to IPv4 header.

3. Source Port

Source Port is 16-bit number used identify port for sending packet. This number is the 0-th octet on TCP header.

Packet 1566 has Source Port 1041. Here we present table of 4 first Source Port seen:

Source Port # Packet Entry
1041 1533 (35 entries, 12 seconds)
1042 1568 (30 entries, 12 seconds)
1043 1598 (30 entries, 11 seconds)
1044 1628 (30 entries, ~ seconds)

 

In this pattern, we can conclude that Source Port is changing in interval between 10 and 15 seconds from previous port usage.

Goal VIII Solution ( Opening TCP Session Port 4445)

For this goal, we need to use following understanding

  • Destination IP address is 10.10.10.10
  • Destination port is 4445

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4445) || (ip.dst==10.10.10.70 && tcp.srcport==4445)

From goal VII we get that connection establishment are tried until packet 1656 [SYN]. In packet 1657 we see that 10.10.10.10:445 gives response [SYN,ACK] signaling that TCP three-way handshake is on the way.

TCP three-way handshake for port 4445 is finished on packet 1657 when 10.10.10.70 send packet ACK so connection is established on packet 1657.

Packet 1567 happen on 123.7 which means the connection is open on 123.7.

Goal IX Solution ( MD5 Hash of Executable File )

Ann (10.10.10.10) has initiative to send executable file to Vick (10.10.10.70), seen from packet 1659 which is [PSH,ACK] message. The message itself is sent from packet 1660. Using “Follow TCP Stream” on packet 1660, we can see whole data exchange. However the data itself is defected with following message: “[1436350345 bytes missing in capture file]”

Save the PE32 data as suspect2.exe and click “Save As”. Open up suspect2.exe using editor capable of viewing hex number (however hexeditor is recommended). Delete the first 42 bytes so we have MZ signature.

MD5 calculation gives us efbf686f09de864bd0058dab650ac34a as result of checksum.

uas_11

Goal X Solution (Closing TCP Session Port 4445)

For this goal, we need to use following understanding

  • Destination IP address is 10.10.10.10
  • Destination port is 4445

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4445) || (ip.dst==10.10.10.70 && tcp.srcport==4445)

Knowing TCP four-way handshake, we know that connection closed when TCP handshake is over. It is marked by ACK from initiator. However, we don’t know for sure yet who the initiator is.

Inspection lead us to pair packet 2552, 2554 and 2551,2553. Packet 2552 and packet 2553 are packet [FIN,ACK] where packet 2552 is sent first from 10.10.10.70 to 10.10.10.10. Therefore we can get conclusion that client has initiative to end the connection after server finish sending the data. Packet ACK is sent by 10.10.10.70 on entry 2554, present us to fact that connection is ended.

Packet 2554 happen on 198.4 which means the connection is closed roughly at 198.4 seconds relative to first of packet.

Conclusion

Ann Dercover has done break-in activity and has been proved planting malware to Vick Timmes.

To know what data stolen are, further investigation is needed.


Satria Ady Pradana
I3510030
School of Electrical Engineering & Informatics
Institut Teknologi Bandung

In this article we will about how to build GCC ARM Toolchain, which is a cross compiler to build ARM program. The built GCC can be used to compile application into ARM’s machine codes. The toolchain then reside on /usr/local path.

For this article, I use:

  1. Slackware64 14.0
  2. GCC 4.9.2
  3. GDB 7.8.1
  4. Binutils 2.24
  5. Newlib 2.1
  6. GMP 6.0.0
  7. MPFR 3.1.2
  8. MPC 1.0.2

Deciding the Target

In ARM, there is a naming convention which explain what toolchain will do. The target alias, or target, is the target of the toolchain. It’s more than just an architecture. The tools on this toolchain will have some profix, such as: arm-none-eabi-gcc, arm-linux-eabi-gcc, etc.

This distinguish one toolchain from native host compiler and have different purpose for each name.

Basically, “arm-none-eabi” is consist of three part:

  1. architecture / processor name. Which is ARM architecture (ARM, Thumb, Thumb-2, etc)
  2. something about OS/libraries. This part is varies. Some have none and other has linux, etc. The ‘none’ means that the toolchains are not targetting specific operating system (aka ‘bare-metal’). ‘unknown’ is the same as ‘none’ while ‘linux’ designed to be used to build programs with glibc under a Linux environment, usually for built for embedded linux ARM devices.
  3. ABIs. This part describes how binary files (libraries, etc) are stored (the actual file formats), and calling conventions, register usage, etc. Some common are gnuabi, eabi, etc.

In this article, we will build arm-none-eabi to make bare metal arm compiler.

Preparation

We will need some disk space (~2GB should be enough). We also need root access to install it on “system-wide”.

Slackware64 14.0 is optional. You can use any linux distribution you like.

We will create a working directory. We will refer it as $ARMGCC, so $ARMGCC/src should really be something like ~/ARMGCC/src (the ~ means your home directory). So go ahead and create following directory structure:

# set aliases
export ARMGCC=~/ARMGCC
export TARGET=arm-none-eabi
export PREFIX=/usr/local

export BINUTILS_BUILD=${ARMGCC}/build/binutils-build
export GCC_BUILD=${ARMGCC}/build/gcc-build
export GDB_BUILD=${ARMGCC}/build/gdb-build

export BINUTILS_SRC=${ARMGCC}/src/binutils-2.24
export GCC_SRC=${ARMGCC}/src/gcc-4.9.2
export GDB_SRC=${ARMGCC}/src/gdb-7.8.1
export NEWLIB_SRC=${ARMGCC}/src/newlib-2.1.0

# make base dir, original archives dir (orig), source code dir (src), 
# and working / building dir (build) 
mkdir ${ARMGCC}{,/{orig,src,build}}

# Make build directory for each component
mkdir ${ARMGCC}/build/{binutils,gcc,gdb}-build

Acquiring the Materials

Download latest packages of GCC, GDB, binutils, and Newlib.You can download it using wget or alternatively download via browser and move it to $ARMGCC/orig. The version we will use is GCC 4.9.0, GDB 7.7, binutils 2.24, and newlib 2.1.0.

cd ${ARMGCC}/orig
wget ftp://ftp.gnu.org/pub/gnu/gcc/gcc-4.9.2/gcc-4.9.2.tar.bz2
wget ftp://ftp.gnu.org/pub/gnu/gdb/gdb-7.8.1.tar.xz
wget ftp://ftp.gnu.org/gnu/binutils/binutils-2.24.tar.bz2
wget ftp://sources.redhat.com/pub/newlib/newlib-2.1.0.tar.gz

wget ftp://ftp.gnu.org/pub/gnu/gmp/gmp-6.0.0a.tar.xz
wget ftp://ftp.gnu.org/pub/gnu/mpc/mpc-1.0.2.tar.gz
wget ftp://ftp.gnu.org/pub/gnu/mpfr/mpfr-3.1.2.tar.gz

Then, extract them to src directory.

cd ${ARMGCC}/src

tar -jxf ${ARMGCC}/orig/gcc-4.9.2.tar.bz2
tar -Jxf ${ARMGCC}/orig/gdb-7.8.1.tar.xz
tar -jxf ${ARMGCC}/orig/binutils-2.24.tar.bz2
tar -zxf ${ARMGCC}/orig/newlib-2.1.0.tar.gz

Next we need to download some prerequisites, especially GMP (GNU Multiple Precision), MPC (Multiple-Precision Complex), and MPFR (Multiple-Precision Floating Point Reliably) which is used for computation. The prerequisites can be downloaded by invoking following command:

The MPFR, GMP, and MPC is not the latest version, but at least we can build GCC. Suppose your working directory at /home/xathrya/ARMGCC, to obtain MPDR, GMP, and MPC invoke following command:

cd ${GCC_SRC}
./contrib/download_prerequisites

However, the version of GMP, MPC, MPFR, PPL, CLOOG, and ISL is not the latest version. We can switch to the latest version by download the latest version and create symbolic link to it.

cd ${GCC_SRC}

rm {gmp,mpc,mpfr}

tar -Jxf ${ARMGCC}/orig/gmp-6.0.0a.tar.xz
tar -zxf ${ARMGCC}/orig/mpc-1.0.2.tar.gz
tar -zxf ${ARMGCC}/orig/mpfr-3.1.2.tar.gz

ln -s gmp-6.0.0 gmp
ln -s mpc-1.0.2 mpc
ln -s mpfr-3.1.2 mpfr

Building the Toolchains

Building stage is pretty simple. Honestly speaking, the tricky part is about how GCC and built concept and ordering them in correct order.

Binutils

First, built binutils. This will provide lots of useful tools in building ARM libraries and binaries (like objdump, ld, ranlib, etc). Invoke following commands:

cd ${BINUTILS_BUILD}
${BINUTILS_SRC}/configure \
   --target=${TARGET} \
   --prefix=${PREFIX} \
   --enable-interwork \
   --enable-multilib \
   --with-gnu-as \
   --with-gnu-ld \
   --disable-werror \
   --disable-nls
make configure-host
make -j4 all
make install
make clean

You will notice a few configure options that are really critical for getting things to work properly.

  • –target=arm-none-eabi Says we want a compiler to generate binaries for the arm-none-eabi platform.
  • –enable-interwork This allows for assembling Thumb and ARM code mixed into the same binaries (for those chips that support that)
  • –enable-multilib Multilib allows the use of libraries that are compiled multiple times for different targets/build types
  • –enable-shared – enable the creation of the shared libraries.

GCC

Next we will build the GCC. But please note that we are only intereset on C and C++ so we will ignore other language. To built GCC, do this:

cd ${GCC_BUILD}
${GCC_SRC}/configure \
   --target=${TARGET} \
   --prefix=${PREFIX} \
   --enable-interwork \
   --enable-multilib \
   --enable-languages="c,c++" \
   --with-newlib \
   --without-headers \
   --disable-shared \
   --with-system-zlib \
   --with-gnu-as \
   --with-gnu-ld \
   --disable-nls \
   --enable-c99 \
   --enable-long-long \
   --enable-__cxa_atexit
make -j4 all-gcc install-gcc
make clean

Now, the important points are:

  • –enable-languages=”c,c++” – means build C and C++ only.
  • –with-newlib – use Newlib instead of the standard C libraries.
  • –with-headers – this adds a header inlude path during build time and will allow the build to find the newlib header files
  • –enable-__cxa_atexit – allows use of __cxa_atexit, rather than atexit, to register C++ destructors for local statics and global objects and is essential for fully standards-compliant handling of destructors. It also affects the C++ ABI and therefore results in C++ shared libraries and C++ programs that are interoperable with other Linux distributions.
  • –enable-c99 – enable C99 support for C programs.
  • –enable-long-long – enables long long support in the compiler.

Newlib

Now build our newlib

cd ${NEWLIB_BUILD}
${NEWLIB_SRC}/configure \
  --target=${TARGET} \
  --prefix=${PREFIX} \
  --enable-interwork \
  --enable-multilib \
  --with-gnu-as \
  --with-gnu-ld \
  --disable-nls \
  --enable-target-optspace \
  --enable-newlib-reent-small \
  --enable-newlib-io-c99-formats \
  --enable-newlib-io-long-long \
  --disable-newlib-multithread \
  --disable-newlib-supplied-syscalls \
  CFLAGS_FOR_TARGET="
make -j4 all
make install
make clean

GCC (again)

Now that we have our runtime libraries, go back and ginish the GCC build:

cd ${GCC_BUILD}
make all-install

GDB

Optionally you can build GDB. To do so, invoke following:

cd ${GDB_BUILD}
${GDB_SRC}/configure \
   --target=${TARGET} \
   --prefix=${PREFIX} \
   --enable-interwork \
   --enable-multilib
make -j4 all 
make install

And that’s it. You should have them now.

Testing

The toolchain can be tested with the minimal code here:

int main()
{
   return 0;
}

void exit(int code)
{
   while(1);
}

Building GCC AVR Toolchain Cross Compiler

December 11, 2015 | Article, Labs | No Comments

In this article we will about how to build GCC AVR Toolchain, which is a cross compiler to build AVR program. The built GCC can be used to compile application into AVR’s machine codes. The toolchain then reside on /usr/local path.

For this article, I use:

  1. Slackware64 14.0
  2. GCC 4.9.0
  3. GDB 7.7
  4. Binutils 2.24
  5. AVR-libc 1.8
  6. GMP 6.0.0
  7. MPFR 3.1.2
  8. MPC 1.0.2

Preparation

We will need some disk space (~2GB should be enough). We also need root access to install it on “system-wide”.

Slackware64 14.0 is optional. You can use any linux distribution you like.

We will create a working directory. We will refer it as $AVRGCC, so $AVRGCC/src should really be something like ~/AVRGCC/src (the ~ means your home directory). So go ahead and create following directory structure:

# set aliases
export AVRGCC=~/AVRGCC
export TARGET=avr
export PREFIX=/usr/local

export BINUTILS_BUILD=${AVRGCC}/build/binutils-build
export GCC_BUILD=${AVRGCC}/build/gcc-build
export GDB_BUILD=${AVRGCC}/build/gdb-build

export BINUTILS_SRC=${AVRGCC}/src/binutils-2.24
export GCC_SRC=${AVRGCC}/src/gcc-4.9.0
export GDB_SRC=${AVRGCC}/src/gdb-7.7
export AVRLIBC_SRC=${AVRGCC}/src/avr-libc-1.8.0

# make base dir, original archives dir (orig), source code dir (src), 
# and working / building dir (build) 
mkdir ${AVRGCC}{,/{orig,src,build}}

# Make build directory for each component
mkdir ${AVRGCC}/build/{binutils,gcc,gdb}-build

Acquiring the Materials

Download latest packages of GCC, GDB, binutils, and Newlib.You can download it using wget or alternatively download via browser and move it to $AVRGCC/orig. The version we will use is GCC 4.9.0, GDB 7.7, binutils 2.24, and newlib 2.1.0.

cd ${AVRGCC}/orig
wget ftp://ftp.gnu.org/pub/gnu/gcc/gcc-4.9.0/gcc-4.9.0.tar.bz2
wget ftp://ftp.gnu.org/pub/gnu/gdb/gdb-7.7.tar.bz2
wget ftp://ftp.gnu.org/gnu/binutils/binutils-2.24.tar.bz2
wget ftp://ftp.twaren.net/Unix/NonGNU//avr-libc/avr-libc-1.8.0.tar.bz2

wget ftp://ftp.gnu.org/pub/gnu/gmp/gmp-6.0.0a.tar.xz
wget ftp://ftp.gnu.org/pub/gnu/mpc/mpc-1.0.2.tar.gz
wget ftp://ftp.gnu.org/pub/gnu/mpfr/mpfr-3.1.2.tar.gz

Then, extract them to src directory.

cd ${AVRGCC}/src

tar -jxf ${AVRGCC}/orig/gcc-4.9.0.tar.bz2
tar -jxf ${AVRGCC}/orig/gdb-7.7.tar.bz2
tar -jxf ${AVRGCC}/orig/binutils-2.24.tar.bz2
tar -jxf ${AVRGCC}/orig/avr-libc-1.8.0.tar.bz2

Next we need to download some prerequisites, especially GMP (GNU Multiple Precision), MPC (Multiple-Precision Complex), and MPFR (Multiple-Precision Floating Point Reliably) which is used for computation. The prerequisites can be downloaded by invoking following command:

The MPFR, GMP, and MPC is not the latest version, but at least we can build GCC. Suppose your working directory at /home/xathrya/AVRGCC, to obtain MPDR, GMP, and MPC invoke following command:

cd ${GCC_SRC}
./contrib/download_prerequisites

However, the version of GMP, MPC, MPFR are not the latest version. We can switch to the latest version by link it to our downloaded one.

cd ${GCC_SRC}

rm {gmp,mpc,mpfr}

tar -Jxf ${AVRGCC}/orig/gmp-6.0.0a.tar.xz
tar -zxf ${AVRGCC}/orig/mpc-1.0.2.tar.gz
tar -zxf ${AVRGCC}/orig/mpfr-3.1.2.tar.gz

ln -s gmp-6.0.0 gmp
ln -s mpc-1.0.2 mpc
ln -s mpfr-3.1.2 mpfr

Building the Toolchains

Building stage is pretty simple. Honestly speaking, the tricky part is about how GCC and built concept and ordering them in correct order.

Binutils

First, built binutils. This will provide lots of useful tools in building ARM libraries and binaries (like objdump, ld, ranlib, etc). Invoke following commands:

cd ${BINUTILS_BUILD}
${BINUTILS_SRC}/configure --target=${TARGET} --prefix=${PREFIX} \
    --enable-interwork --enable-multilib --enable-shared 
make configure-host
make -j4 all
make install

You will notice a few configure options that are really critical for getting things to work properly.

  • –target=avr Says we want a compiler to generate binaries for the avr platform.
  • –enable-multilib Multilib allows the use of libraries that are compiled multiple times for different targets/build types
  • –enable-shared – enable the creation of the shared libraries.

GCC

Next we will build the GCC. But please note that we are only intereset on C and C++ so we will ignore other language. To built GCC, do this:

cd ${GCC_BUILD}
${GCC_SRC}/configure --target=${TARGET} --prefix=${PREFIX} --enable-interwork \
   --enable-multilib --enable-languages="c,c++" --with-dwarf2 --disable-libssp \
   --enable-c99 --enable-long-long --enable-__cxa_atexit --enable-shared
make -j4 all-gcc 
make -j4 all-target-libgcc

make install-gcc install-target-libgcc

Now, the important points are:

  • –enable-languages=”c,c++” – means build C and C++ only.
  • –with-headers – this adds a header inlude path during build time and will allow the build to find the newlib header files
  • –enable-__cxa_atexit – allows use of __cxa_atexit, rather than atexit, to register C++ destructors for local statics and global objects and is essential for fully standards-compliant handling of destructors. It also affects the C++ ABI and therefore results in C++ shared libraries and C++ programs that are interoperable with other Linux distributions.
  • –enable-c99 – enable C99 support for C programs.
  • –enable-long-long – enables long long support in the compiler.

avr-libc

Now build our avr-libc

cd ${AVRLIBC_SRC}
./configure --host=avr --build=`./config.guess` --prefix=${PREFIX}
make
make install

GDB

Optionally you can build GDB. To do so, invoke following:

cd ${GDB_BUILD}
${GDB_SRC}/configure --target=${TARGET} --prefix=${PREFIX} \
  --enable-interwork --enable-multilib
make -j4 all 
make install

And that’s it. You should have them now.

Testing

The toolchain can be tested with the minimal code here:

int main()
{
   return 0;
}

If you want to start tinkering Arduino, you may look at following list. This list is the parts you might need to follow my tutorials. You are not obligate to gather all because I always specify what materials you need in every article. However, you can see following as a reference.

Arduino board

Normally I would use my Arduino Uno R3, unless told otherwise. You can use any Arduino board you think suitable for both your budget or your specidication.

Component

Buy one item of component isn’t too useful. A better idea is to buy a pack of that component, if possible.

  • Resistors:
    1. 100 ohm x 3
    2. 220 ohm x3
    3. 330 ohm x 3
    4. 10k ohm x 3
    5. 1k ohm x 3
  • Light Emitting Diode (LED): Choose 5mm LED any color. We use three LEDs at minimum.
  • Trimpot
  • Photocell
  • Pushbuttons x 2
  • Some wires, preferably breadboard jumper wires.
  • infrared LED
  • pin 0.1″ standard header x 6
  • Piezo speaker or buzzer

Some sensors we need:

  • Parallax PING))) sensor
  • TMP36 temperature sensor (or LM35 for alternative)
  • ADXL335 accelerometer breakout board
  • PNA4602 infrared sensor
  • Tilt sensor

and actuator:

  • Servo 5V, for example: Hitec HS-322HD or Vigor Hextronic

Tools

  • Standard A-B USB cable. This cable is used for connecting Arduino to computer
  • Breadboard. You can use either 400 pin or 170 pin breadboard.

Additional Gadgets

Of course this is optional.

  • Nintendo Nunchuk controller

Social media & sharing icons powered by UltimatelySocial