The main bug is in how the favorite word struct is freed, and then its second qword is freed. With the proper heap feng shui, you can have that struct go into tcache, so the second qword gets filled with a pointer to `tcache_perthread_struct`, and then have that freed into the unsorted bin. From there, you can achieve a libc leak from the show function and will have to briefly fix the `tcache_perthread_struct`. You can now achieve arbitrary allocations with 16 byte alignment requirement (libc 2.33).

Original writeup (https://cor.team/posts/CSAW-Qualifications-2021---Word-Games-and-Krypto).