Linux NX Bypass (ret2libc) LAB 10

,

Couple questions regarding the material in this lab:

  1. What is a plt sub?
    This was mentioned in the lab solution. I understand this is how the program is getting the puts@plt function address in libc. I am just curious if this is true for all function calls to libc. Is there always a plt sub address that can be used to discover the address of a function in libc? Hope this make sense =p

  2. Why do I not get a root shell at the end of the exercise?
    I would think that I would gain priv escalation from the permissions of the binary w/sticky bit. Not sure why I am not getting a root shell