- Leak GlibC.
- Re-arrange the chunks in the heap somehow using the OBO, so that I can achieve tcache poisoning (I will show you how)
- change __free_hook to system() and free a chunk containing "/bin/sh\x00"

Original writeup (https://pwn-maher.blogspot.com/2020/11/pwn11-heap-off-by-one-vulnerability.html).