Obviously heap overflow. Just another glibc heap challenge.
[exploit here](https://github.com/bash-c/pwn_repo/blob/master/Bamboofox2019_note/solve.py)

Original writeup (https://github.com/bash-c/pwn_repo/blob/master/Bamboofox2019_note/solve.py).