Leaking Libc addresses to do ret2libc with unknown libc First lets take a look at the binary mitigations {} ret2what checksec return-to-what [*] '/home/h4x5p4c3/Downloads/ret2what/return-to-what' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Nx is enabled so we can’t do a bof and place our shellcode to get a shell and no canary which makes it easier and ASLR is probably enabled. Decompilation and Disassembly The decompilation of the assembly code looks like this