Tags: pwn one_gadget vtable heap bof c++ 

Rating:

#### TL;DR

- Buffer overflow on the heap

- Overwrite a `std::string`'s buffer pointer to leak binary's and libc's base

- Overwrite a vtable pointer to call a one-shot gadget and get a shell

For details, check out [the writeup](https://github.com/LevitatingLion/ctf-writeups/blob/master/defcon_quals_2018/pwn_124_its_a_me/README.md).

Original writeup (https://github.com/LevitatingLion/ctf-writeups/blob/master/defcon_quals_2018/pwn_124_its_a_me/README.md).