Because you don't know how to call the functions, as explained in the article. To call a function, you need to know its address among other things. And you don't, since the address was decided at random at build time (or even boot time in some systems).

There are other ways to find functions besides knowing their addresses a priori.

How is this done?

I think kernels try not to leak the address of system calls at run time, and if they are scattered around in a 64bit address space they are tough to search for. Educate me!

I have no idea, but couldn't you use some part of the software you just compromised that makes syscalls?

There are no syscalls as the fine article explains.

Ah, wait, I mis-read your comment and it's too late to edit mine. Yes, that sounds plausible, and particularly if you have the source code, which you do for many common servers.

They assume that 99% of libc was stripped out at build time. The full network stack is probably there but there might not be much filesystem code.