In this challenge, there is an `uninitialized variable` vulnerability that leads to `double free` and `use after free (UAF)`. Using these, we leak a `libc` address to de-randomize `ASLR`, launch `tcache dup` attack, and then put our `fake chunk` address into the `tcache` using `tcache poisoning` attack. As a result, we can force `malloc` to return our `fake chunk` before `__free_hook`, so we can overwrite `__free_hook` with `one gadget`. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, `Full RELRO`, and `ASLR` in `x86_64` binaries in presence of `tcache`.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/AsisCTFFinal/2018/asvdb).