Tags: rop 

Rating: 0

- double free in destroy object
- libc leak from freeing chunk to unsorted-bin,
- closed stdout after getting leak
- closed stdin after buffer offerflow
- only 16byte-ish stack buffer overflow overwriting RBP and RIP
- partially overwrite RBP to gain stable stack pivoting for ROP
- add nopsled gadget for ROP to make it more stable
- since `std{in,out}` closed, the only way to get flag via socket+connect

[original writeup here.](https://kiror0.github.io/ctf/posts/inferno-ctf-pwn/#secret-keeper-v2)