Tags: javascript pwn 

Rating: 5.0

# TL;DR
1. Find a UAF in the `midnight()` method for JS typed arrays
2. Exploit the UAF to get a libc leak
3. Exploit the UAF to perform a tcache poison attack
4. Set `__free_hook` to `system`
5. Free a chunk containing `cat *la*`
6. Win

Follow the link for the full writeup.

Original writeup (https://sectt.github.io/writeups/MidnightSunQuals22/hfs_browser/README).