Tags: pwn 

Rating:

This challenge uses calloc, and we can introduce a oob write with a flag byte. We can leak flag byte using fastbin dup side channel by overwriting fastbin freelist's fd and dup-ing into a controlled chunk. See solve script.

Original writeup (https://github.com/perfectblue/ctf-writeups/tree/master/2020/tsgctf-2020/detective).