Tags: bof pwn 

Rating:

![](http://image.taqini.space/img/cap_dorsia_00:00:06_01.jpg)

`system+765772` is the address of one gadget in `libc2.27`, and there is a buffer overflow in stack. So we can overwrite the return address with address of one gadget.

[full wp](http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/#dorsia1-100pt)

Original writeup (http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/#dorsia1-100pt).