Simple glibc 2.27 heap challenge.
The restriction that makes it interesting is that you can only have a pointer to one chunk at a time.
Steps to exploitation:
- Get a heap leak
- Use the heap leak and the tcache poisoning attack to get a chunk somewhere on the heap with forged 0x91 size chunk header
- Free this chunk 8 times for a libc leak
- tcache poisoning attack to overwrite
__free_hook to system
- Free a chunk whose first 8 bytes are '/bin/sh\x00' to get a shell
Detailed writeup at the link.
