In 0CTF Final 2018 - freenote2018 challenge, there is a double free vulnerability that allows us to launch fastbin dup attack. Using this attack, we can create overlapping chunks, manipulate heap metadata, and finally overwrite __malloc_hook with one gadget address to execute /bin/sh. This challenge is very interesting because in contrast to most challenges, we cannot leak any addresses (e.g., libc, heap) to de-randomize ASLR. Instead, we have the ability to partially overwrite memory, so with some brute force (because the 12 least significant bits are fixed), we can easily overwrite __malloc_hook with the right address. This is an interesting heap exploitation challenge to learn bypassing protections like NX, Canary, PIE, Full RELRO, and ASLR in x86_64 binaries.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/0CTFFinal/2018/freenote2018).