Aslr-Bypass

The binary leaks a runtime stack address disguised as a ‘random number’. Add 6 to land inside the shellcode region, then spray that address 800 times to cover the return target and get a shell.

Overwrite the canary’s null byte to leak the full 8-byte cookie over printf, simultaneously leak a saved RBP to base the stack, then use puts@got to find libc base and call system(’/bin/sh’) — all in two trips through the same vulnerable function.