nice one

where is the .c file + aslar is enabled

Could someone please provide a hint for a solution that is not based on return-to-libc? I managed to solve the previous two BoFs.

omfg...i finally got it to work! no ret2libc...this has taken me months of running down rabbit holes with ROP and return to libc. props on this one dude 5/5!

is NX Turned on ? BeCause i know Damn well i Solved it but it's not Re2myShell

yes nx is turned on. if you have install pwntools it comes with checksec binary which will show you what the elf file is and if it had any protections turned on

well i started this like 5 days ago with no idea what ROP was and barely any understanding of how stacks or assembly or elf worked, and ended up solving it without libc and learning a ridiculous amount of great stuff. thanks!

nice chall

Any hint on how can I execute shellcode :(( The pointer address is constantly changing

This supposed be easy, i mean hard :3. Wasting about 1 hours. But worth

congrats to the first blood tho :)

I solved this task. I would like to know how you managed to compile the program so that the memory address is unchanged. If you open "server" in IDA, the start address = 0x08048000. When I compile my task, the start address = 0, but when debugging it is constantly changing. I have not found any articles describing this problem. FROM RUSSIA WITH LOVE))

Might be late, but, position independent executable (PIE), makes it such that the address space layout randomization (ASLR) can put it at random places. GCC has a flag i think, --no-pie to disable this security feature

is NX Turned on ? BeCause i know Damn well i Solved it but it's not Re2myShell

yes nx is turned on. if you have install pwntools it comes with checksec binary which will show you what the elf file is and if it had any protections turned on

well i started this like 5 days ago with no idea what ROP was and barely any understanding of how stacks or assembly or elf worked, and ended up solving it without libc and learning a ridiculous amount of great stuff. thanks!

It worked on my local machine. Idk why it did not in your netcat

libc on your machine isn't the same as libc on the server