This was a heap challenge disguised in a filesystem. We can UAF the buffer of a file by deleting it through an indirect path. Using the UAF, it turns into a leakless heap challenge. We can simply overlap tcache fd and unsorted bin pointer, partial overwrite to stdout, leak with stdout, then trigger system. See solve script.

Original writeup (https://github.com/perfectblue/ctf-writeups/tree/master/2020/tsgctf-2020/rachell).