Rating: 3.0

- use the one-byte to extend the size of the next chunk
- leak the heap, then free it again and with the overlapping chunk, corrupt the tcachebin to point a chunk that contains the top_chunk->size
- change the top_chunk size to use house of orange (not the FSOP part)
- now we can get some unsorted chunk back from malloc, and so leak of the arena
- and last use again the one-byte to overlap and then again corrupt the tcachebin by inserting __free_hook, then insert one gadget

See link

Original writeup (https://github.com/tin-z/mY_Writ3_Up5/tree/master/asis-ctf-quals-2019#pwn-101).