In `InCTF 2018 - securepad` challenge, there is an `uninitialized stack variable` vulnerability which leads to `arbitrary free` vulnerability that eventually allows us to launch `unsorted_bin_attack` and `fastbin_dup_attack`. Firstly, we leak a `heap` address and using the `arbitrary free` we get from `uninitialized stack variable` vulnerability, we leak a `main arena` address so we can find `libc` base address. Then, we create a fake chunk before `__free_hook` using `unsorted_bin_attack` and using `fastbin_dup_attack`, we allocate the fake chunk to overwrite `__free_hook` with `system`. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, `Full RELRO`, `PIE`, and `ASLR` in `x86_64` binaries.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/InCTF/2018/securepad).