https://www.willsroot.io/2019/09/cuctf-2019-tcash-writeup.html

TCache Poisoning Attack. Use an unsorted bin to help leak libc address. Use the delete option to create a double free in a tcachebin. Then, make the next pointer point to free hook, so you can change it to system. Then use the option that calls free on a chunk with the /bin/sh string to pop a shell.

Original writeup (https://www.willsroot.io/2019/09/cuctf-2019-tcash-writeup.html).