/home/vulnhub/ﬂag.txt is fake, so previous trick won't work Has ASLR + NX + SSP Uses fork(); child process inherits parent's stack canary and memory. Brute force stack canary! Leak function from GOT by returning to write@plt and calculate libc base address. Let's us ﬁnd the address of any function in libc. ASLR defeated! Return to mprotect(), make a memory region RWX, store shellcode there. NX defeated! Return to shellcode and proﬁt!