Rating: 0

TLDR: find out where `_dl_fini` is and hijack execution via an `atexit` handler. See [full writeup](https://github.com/SPRITZ-Research-Group/ctf-writeups/tree/master/0x00ctf-2017/pwn/left-250).