Tags: fastbin heap fastbindup format-string got doublefree 

Rating:

In this challenge, there is a `double free` vulnerability by which we can mount the `fastbin dup` attack to get an arbitrary write into `GOT` table. Then, using a `format string` attack, we can leak a `libc` address, and finally execute `system("/bin/sh")` by overwriting a `GOT` entry. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, and `ASLR` in `x86_64` binaries.

Original writeup (https://github.com/sajjadium/PersianCatsCTF/tree/master/SECCON/2017/Quals/secure_keymanager).