In `SECCON 2017 - election` challenge, there is an `off-by-one` (`null byte poisoning`, `null byte overflow`) vulnerability that gives us `arbitrary write`. Using this vulnerability, we can find `heap` base address by manipulating heap chunks and `libc` base address by leaking `read@GOT` address, and finally overwrite `__malloc_hook` with `one gadget` in order to execute `/bin/sh`. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, `Full RELRO`, and `ASLR` in `x86_64` binaries.

Original writeup (https://github.com/sajjadium/PersianCatsCTF/tree/master/SECCON/2017/Quals/election).