Protostar/Stack 6

If you get stuck, you can watch the solution and explanation here:

Solving stack6 from with the re2libc technique.

Stack6 looks at what happens when you have restrictions on the return address.

This level can be done in a couple of ways, such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming.

It is strongly suggested you experiment with multiple ways of getting your code to execute here.

This level is at /opt/protostar/bin/stack6


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);


  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
      printf("bzzzt (%p)\n", ret);

  printf("got path %s\n", buffer);

int main(int argc, char **argv)



See also

This video introduces, how to connect to the VM with ssh and explains what setuid binaries are.

We will write our first Buffer Overflow for the stack0 level of

This video shows you how to take over control of a program with a buffer overflow

We write our first real exploit to get root access. Solving stack5 from with a simple Buffer Overflow and shellcode.

This is a mirror. Copyright and original can be found here: