In short:
- UAF in `show` and `remove`
- use `fd` as jump table, since heap is `rwx`, jump to heap for executing shellcode

Original writeup (https://github.com/noAuxy/writeups/blob/master/2019/2019-04-28-StarCTF.md#upxofcpp).