Rating:

1. Using double staged fsb, change the return address of the stack to main and leak the libc_start_main_ret address.
- a little brute forcing
2. Using double staged fsb, change the return address of the stack to one_gadget
3. Restore the SFP
- SFP should be changed when changing the return address of the stack.
- When the SFP changes, it moves to a different address
- a little brute forcing

Original writeup (https://blog.jsec.xyz/ctf-write-up/2021/01/03/TetCTF-warmup-write-up.html).