Write and submit a commented script that writes your exploit to stdout, such that the output can be used as the argument for the target program. After spawning a /bin/sh shell, you should be able to retrieve the flag located within the same directory. Since the implementation of the countermeasure is non-deterministic, you might have to run task submit multiple times. Taskname for remote: fake_canary - Don't think too complicated: This task uses only a simple, conceptual imitation of stack canaries. - Note that there are various "bad characters" (besides nullbytes) http://blog. disects.com/2014/04/exploitation-identifying-bad-characters.html