1. Malloc a chunk large enough to get malloc to call mmap and give you a chunk aligned to libc
2. Overwrite free hook to system using out of bounds relative write
3. Call system("ed") to bypass hexadecimal char only filter
4. Escape ed to shell by doing !/bin/sh

Detailed writeup at the link

Original writeup (https://faraz.faith/2019-10-14-hitconctf-2019-trick-or-treat/).