CloudFormation: Ubuntu Server Instance with NSA’s Ghidra and RDP Access

Trust no one… not even yourself….

So I’ve been curious about NSA’s Reverse Engineering tool called Ghidra since its release. If you’re like me, you’re probably skeptical about downloading a tool, developed by the NSA, sitting on your personal computer despite that the source code is on Github. So why not deploy it on an Ubuntu instance and and remote via RDP into that host? Or I may just be continuing to practice more CloudFormation/Terraform…who knows.

Just a heads up, I’m pretty new to reverse engineering.

Per recommendation, I recommend at least a t2/t3.medium since the documentation says the following:

  • 4 GB RAM
  • 1 GB storage (for installed Ghidra binaries)

Please keep in mind this is not free ($0.0418/hr for t3.medium).

Template here.

NOTE: The template only contains AMI mappings for the N. Virginia and Oregon regions. If you plan on launching outside these regions, the template will need to be updated.

It’ll take about 10 minutes for all the updates to complete but once complete, you should be able to log into this instance using Remote Desktop (RDP) with the password specified from the Password Parameter. The template opens up Port 3389 and SSH based on the IP you put in the other IP Parameter.

There will be some default configuration upon log in. After that, open up terminal and run the following command:

/home/ubuntu/Downloads/ghidra_9.0.2/./ghidraRun

There is an ELF in the Downloads folder rev50_linux64-bit that you can import once the program has been launched and you’ve created a new project.

Preview:

And this is where I leave you. Happy hacking.