1. Leak libc by reading from unsorted chunk
2. Free fast chunk of size 0x70
3. Free another fast chunk of size 0x70
4. vote for chunk freed in '3', will increment fd pointer. vote 0x20 times to make fd pointer point inside [2] chunk
5. [2] chunk should have a fake chunk pointing to \_\_malloc\_hook - 0x23
6. Overwrite with one shot gadget

Original writeup (https://github.com/DhavalKapil/ctf-writeups/blob/master/n1ctf-2018/vote/exploit.py).