Tags: pwn heap tcache 

Rating: 5.0

### Summary

Please see [original writeup](https://github.com/happysox/CTF_Writeups/tree/master/Defcon_CTF_2019/babyheap) for a full walkthrough.

This is a nice, classic menu-style heap exploitation challenge to learn bypassing protections like NX, Canary, Full RELRO, PIE, and ASLR in x86_64 binaries.

Given:
* `babyheap`
* `libc.so` (2.29!)

```
-----Yet Another Babyheap!-----
[M]alloc
[F]ree
[S]how
[E]xit
------------------------
Command:
>
```

```
>>> ELF('babyheap')
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
FORTIFY: Enabled
```
* No `Edit` option
* Chunk size `0x100` or `0x180` based on user-chosen size
* Fill up tcache bin
* Leak libc from unsorted bin
* Single byte overflow
* -> leads to larger overflow
* tcache poisoning possible to arbitrary malloc + overwrite
* Overwrite `__free_hook` with `oneGadget`

**OOO{4_b4byh34p_h45_nOOO_n4m3}**