In SECCON 2017 - election challenge, there is an off-by-one (null byte poisoning, null byte overflow) vulnerability that gives us arbitrary write. Using this vulnerability, we can find heap base address by manipulating heap chunks and libc base address by leaking read@GOT address, and finally overwrite __malloc_hook with one gadget in order to execute /bin/sh. This is an interesting heap exploitation challenge to learn bypassing protections like NX, Canary, Full RELRO, and ASLR in x86_64 binaries.

Original writeup (https://github.com/sajjadium/PersianCatsCTF/tree/master/SECCON/2017/Quals/election).