Rating: 4.0

[write-up](https://github.com/ssspeedgit00/CTF/tree/master/2017/SECCON/election)
* See more details on exploit: [exploit](https://github.com/ssspeedgit00/CTF/tree/master/2017/SECCON/election).
* Vote `Ojima` to write everywhere.
* Write `ojima` to `.bss`.
* Forge struct on `.bss`.
* Switch `list` pointer to point to fake struct and its `votes` offset stored `heap` address.
* Vote it to increase the heap pointer.
* Fix `list` pointer to previous one.
* Show candidate to leak `heap base`, cause the name pointer of one candidate has been switched to point to `heap pointer` by voting to increase it.
* Now we can write everywhere on heap cause we got `heap base`.
* Forge `fd` of `single link list` to fake struct which name pointer point to `GOT['__libc_start_main']`.
* Leak libc.
* Overwrite `__malloc_hook` with `one`.
* Stand to get shell.

Original writeup (https://github.com/ssspeedgit00/CTF/tree/master/2017/SECCON/election).