## tl;dr

+ Overwrite `mmap_threshold` with null and trim top chunk size , to call `mmap` when malloc is called.
+ Null out last 2 bytes of stdin’s _IO_buf_base and brute force to get allocation on stdin.
+ Overwrite `__malloc_hook` with win function to get shell.

Link to the writeup : [Writeup](https://blog.bi0s.in/2020/09/09/Pwn/AllesCTF20-nullptr/)

Original writeup (https://blog.bi0s.in/2020/09/09/Pwn/AllesCTF20-nullptr/).