TLDR:
Use an SQL injection to target a vulnerable version of the `libsqlite3` library. `json_set` contains a UAF, which can be used to free `tcache_perthread_struct`. Then using `json_extract`, you can re-allocate `tcache_perthread_struct` to get arbitrary writes, which you use to target `PyMem_Raw` (to turn `PyMem_RawFree` into a one_gadget that does a reverse shell), and `PyFunction_Type->tp_call` (to use this one_gadget when a python function is called).

Original writeup (https://sashactf.gitbook.io/pwn-notes/ctf-writeups/cor-ctf-2024/corchat-v3).