ROP is a classic technique for getting around address randomization and non-executable memory. This sequence will teach you the basics. Problem available on the shell machine in /problems/ROP_2_20f65dd0bcbe267d , downloadable here[1] with source here[2]. If you solve the problem you will be able to read the key file by running cat /problems/ROP_2_20f65dd0bcbe267d/key on the PicoCTF shell machine Hint: objdump -t can get you the address in memory of the string /bin/bash... and then you need to figure out how to pass it as an argument to a call to system somehow [1]https://2013.picoctf.com/problems/rop2-20f65dd0bcbe267d [2]https://2013.picoctf.com/problems/rop2-20f65dd0bcbe267d.c