Since there is no ASLR, it's possible for us to known the canary address(I use %18$p - 0xc0). Then we are able to fix canary. As a result, the fixed canary will call __stack_check_fail. So my exp works as the following:

1. hijack __stack_check_fail@got to noxFlag
2. fix canary
3. the fixed canary will call __stack_check_fail, which is noxFlag indeed.
4. get flag

Here is my exp

Original writeup (https://github.com/0x01f/pwn_repo/blob/master/noxCTF2018_believeMe/exp.py).