Simple glibc 2.27 heap challenge.
The restriction that makes it interesting is that you can only have a pointer to one chunk at a time.
Steps to exploitation:
1. Get a heap leak
2. Use the heap leak and the tcache poisoning attack to get a chunk somewhere on the heap with forged 0x91 size chunk header
3. Free this chunk 8 times for a libc leak
4. tcache poisoning attack to overwrite `__free_hook` to `system`
5. Free a chunk whose first 8 bytes are '/bin/sh\x00' to get a shell
Detailed writeup at the link.