#### writeup link:
[https://philomath213.github.io/post/angstromctf2020-bookface/](https://philomath213.github.io/post/angstromctf2020-bookface/)

### TL;DL
- Leak Libc address using Format String Attack.
- Abusing *glibc PRNG* by overwrite the random state using *friends* pointer.
- Writing a forged *FILE* structure in *Zero Page*.
- Trigger *FILE* structure exploit by a *NULL Pointer Dereference Attack* and exploiting a *TOCTOU* bug.