Rating:

Simple glibc 2.27 heap challenge.

The restriction that makes it interesting is that you can only have a pointer to one chunk at a time.

Steps to exploitation:
1. Get a heap leak
2. Use the heap leak and the tcache poisoning attack to get a chunk somewhere on the heap with forged 0x91 size chunk header
3. Free this chunk 8 times for a libc leak
4. tcache poisoning attack to overwrite `__free_hook` to `system`
5. Free a chunk whose first 8 bytes are '/bin/sh\x00' to get a shell

Detailed writeup at the link.

Original writeup (https://faraz.faith/2019-10-20-secconctf-2019-one/).