Terminator — Canary Leak + Full ret2libc
Overwrite the canary’s null byte to leak the full 8-byte cookie over printf, simultaneously leak a saved RBP to base the stack, then use puts@got to find libc base and call system(’/bin/sh’) — all in two trips through the same vulnerable function.