tl;dr: Use format string vulnerability to overwrite GOT table and buffer overflow to redirect to gadget.

Original writeup (https://dunsp4rce.github.io/redpwn-2020/pwn/2020/06/26/dead-canary.html).