Tags: ret2libc rop 

Rating: 4.0

TL; DR. Execute `write()` and `read()` syscalls by loading arguments via ROP. To set `rax = 0` to perform `read()`, return to the `init_proc()` function. Reconstruct the global offset table's procedure lookup table and complete the exploit with a classic ROP-ret2libc.

Original writeup (https://nave1337.herokuapp.com/index.html#os2021_external).