Use-After-Free with no PIE and Partial RELRO gives us an easy Return-To-libc-esque attack.

https://github.com/ResultsMayVary/ctf/tree/master/RHME3/pwnable