Tags: pwn binary 

Rating: 5.0

#### writeup link:

### TL;DL
- Leak Libc address using Format String Attack.
- Abusing *glibc PRNG* by overwrite the random state using *friends* pointer.
- Writing a forged *FILE* structure in *Zero Page*.
- Trigger *FILE* structure exploit by a *NULL Pointer Dereference Attack* and exploiting a *TOCTOU* bug.

Original writeup (https://philomath213.github.io/post/angstromctf2020-bookface/).
eldstalMarch 21, 2021, 7:47 p.m.

Top-notch writeup, with juicy external sources!