Leak LibC using heap overflow then overwrite the GOT value of free to trigger system("/bin/sh").

Original writeup (https://www.pwntera.fr/write-up/2018/11/18/ritsec-pwn3.html).