Draft of UMassCTF pwn/factory-monitor by egkushelevsky · Pull Request #93 · CUCTF/ctf-writeups

egkushelevsky · 2026-05-01T05:38:39Z

No description provided.

mmstoic

Great work! Review the comments and you're good to go!

mmstoic · 2026-05-01T16:49:47Z

+
+After creating a machine, we can start running it with the `start()` function. This function forks a child process for the machine, fills in the machine‘s PID and changes its state to `STATE_RUNNING`, and sets up bidirectional communication with parent process using the pipes. Once setup is complete, the machine calls its `main_func`, which by default is the `machine_main_demo()` function reproduced below.
+
+```


Can you briefly explain what the code is doing too?

mmstoic · 2026-05-01T16:50:22Z

+}
+```
+
+There are two key insights from this function.


mmstoic · 2026-05-01T16:51:59Z

+## Exploit
+The buffer passed to `read_line_fd()` from the machine is stack allocated in `machine_main_demo()`, so we can deterministically write past it to reach the return address saved on the stack and overwrite whither we return.
+
+Since our ultimate goal is to get the flag from the `flag.txt` file, we must find a sequence of commands to open the file, read its contents, and print the flag. We can see from the symbol table that the `open()` function is imported at offset `0x38a40` from the start of the executable, and we have the option of `read()` or `read_line_fd()` to read the flag.


Maybe drop an image of the symbol table?

mmstoic · 2026-05-01T16:53:00Z

+
+Since our ultimate goal is to get the flag from the `flag.txt` file, we must find a sequence of commands to open the file, read its contents, and print the flag. We can see from the symbol table that the `open()` function is imported at offset `0x38a40` from the start of the executable, and we have the option of `read()` or `read_line_fd()` to read the flag.
+
+Because the program’s stack is not executable (seen through `readelf -l`), we cannot directly execute shellcode to run these functions. Instead, we can use existing instruction sequences from the programmer’s `.text` section, which is executable, to build an ROP chain and execute our own commands. The binary has sequences to pop a value into `rdi` at `0xc028` (`5f 5d c3`) and into `rsi` at `0x15bc7` (`5e 5d c3`). However, there is no gadget which would give us `rdx` (`5a 5d c3`), so we have to use the two-argument `read_line_fd()` rather than the three-argument `read()`. We will also use a `ret` instruction from `0xa382` to align the stack before calling our functions.


Explain briefly how read_line_fd is used to give us rdx?

mmstoic · 2026-05-01T16:56:23Z

+This script, `exploit.py`, gets the flag:
+```
+UMASS{AsLR_L3Ak}
+```


Great writeup! Only thing I would add is that maybe a diagram or some visual of the ROP chain would be helpful!

Draft of UMassCTF pwn/factory-monitor

0a1b302

mmstoic suggested changes May 1, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Draft of UMassCTF pwn/factory-monitor#93

Draft of UMassCTF pwn/factory-monitor#93
egkushelevsky wants to merge 1 commit intoCUCTF:mainfrom
egkushelevsky:factory_monitor

egkushelevsky commented May 1, 2026

Uh oh!

mmstoic left a comment

Uh oh!

mmstoic May 1, 2026

Uh oh!

mmstoic May 1, 2026

Uh oh!

mmstoic May 1, 2026

Uh oh!

mmstoic May 1, 2026

Uh oh!

mmstoic May 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants


		After creating a machine, we can start running it with the `start()` function. This function forks a child process for the machine, fills in the machine‘s PID and changes its state to `STATE_RUNNING`, and sets up bidirectional communication with parent process using the pipes. Once setup is complete, the machine calls its `main_func`, which by default is the `machine_main_demo()` function reproduced below.

		```


		Since our ultimate goal is to get the flag from the `flag.txt` file, we must find a sequence of commands to open the file, read its contents, and print the flag. We can see from the symbol table that the `open()` function is imported at offset `0x38a40` from the start of the executable, and we have the option of `read()` or `read_line_fd()` to read the flag.

		Because the program’s stack is not executable (seen through `readelf -l`), we cannot directly execute shellcode to run these functions. Instead, we can use existing instruction sequences from the programmer’s `.text` section, which is executable, to build an ROP chain and execute our own commands. The binary has sequences to pop a value into `rdi` at `0xc028` (`5f 5d c3`) and into `rsi` at `0x15bc7` (`5e 5d c3`). However, there is no gadget which would give us `rdx` (`5a 5d c3`), so we have to use the two-argument `read_line_fd()` rather than the three-argument `read()`. We will also use a `ret` instruction from `0xa382` to align the stack before calling our functions.

Conversation

egkushelevsky commented May 1, 2026

Uh oh!

mmstoic left a comment

Choose a reason for hiding this comment

Uh oh!

mmstoic May 1, 2026

Choose a reason for hiding this comment

Uh oh!

mmstoic May 1, 2026

Choose a reason for hiding this comment

Uh oh!

mmstoic May 1, 2026

Choose a reason for hiding this comment

Uh oh!

mmstoic May 1, 2026

Choose a reason for hiding this comment

Uh oh!

mmstoic May 1, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants