`system+765772` is the address of one gadget in `libc2.27`, and there is a buffer overflow in stack. So we can overwrite the return address with address of one gadget.

[full wp](http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/#dorsia1-100pt)

Original writeup (http://taqini.space/2020/04/20/WPICTF-2020-pwn-linux-wp/#dorsia1-100pt).