Ret2win

Leak the stack canary via a controlled print function, then overflow to overwrite the return address without triggering the canary check.

Classic x86-64 ret2win: overflow the return address, use a pop rdi gadget to pass the /bin/cat flag.txt string as argument, jump to system.

Overflow a stack buffer to overwrite the return address with a known win function address, then trigger it.