Stack-Canary

Leak the stack canary via a controlled print function, then overflow to overwrite the return address without triggering the canary check.

Overwrite the canary’s null byte to leak the full 8-byte cookie over printf, simultaneously leak a saved RBP to base the stack, then use puts@got to find libc base and call system(’/bin/sh’) — all in two trips through the same vulnerable function.