Rating:
The binary has a double free vulnerability.
The tcache has a strong double free detection in libc-2.29 and we have to fill tcache and use fastbin to overwrite `__free_hook`.
[writeup](https://ptr-yudai.hatenablog.com/entry/2019/04/29/122753#Pwn-238-girlfriend)
