In `0CTF Final 2018 - freenote2018` challenge, there is a `double free` vulnerability that allows us to launch `fastbin dup` attack. Using this attack, we can create `overlapping chunks`, manipulate `heap metadata`, and finally overwrite `__malloc_hook` with `one gadget` address to execute `/bin/sh`. This challenge is very interesting because in contrast to most challenges, we `cannot` leak any addresses (e.g., `libc`, `heap`) to de-randomize `ASLR`. Instead, we have the ability to partially overwrite memory, so with some brute force (because the `12 least significant bits` are fixed), we can easily overwrite `__malloc_hook` with the right address. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, `PIE`, `Full RELRO`, and `ASLR` in `x86_64` binaries.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/0CTFFinal/2018/freenote2018).