In `InCTF 2018 - YAWN` challenge, there is an `off-by-one` vulnerability which allows us to overwrite `desc` pointer with an arbitrary address. First, we leak `read@GOT` and a `.bss` address to find `libc` and `heap` base addresses, respectively. Then, we can `free` arbitrary `chunks` in the `heap` which allows us to launch `fastbin dup` attack. As a result, we can force `malloc` to return a `fake chunk` before `__malloc_hook`, so we can overwrite `__malloc_hook` with `one gadget`. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, `Full RELRO`, and `ASLR` in `x86_64` binaries.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/InCTF/2018/YAWN).