ROP is a classic technique for getting around address randomization and non-executable memory. This sequence will teach you the basics.

Problem available on the shell machine in /problems/ROP_3_7f3312fe43c46d26 , downloadable here[1] with source here[2].

If you solve the problem you will be able to read the key file by running

    cat /problems/ROP_3_7f3312fe43c46d26/key

    on the PicoCTF shell machine

    Hint: You're going to need to use gdb and search through libc for the address of system, exec, or a similar syscall wrapper. 

    [1]https://2013.picoctf.com/problems/rop3-7f3312fe43c46d26
    [2]https://2013.picoctf.com/problems/rop3-7f3312fe43c46d26.c