Pivot through all the different memory regions (program base, heap, stack, libc, ld) based on only one libc leak from the heap. Read the flag file by carefully building a mprotect ROP chain with the 8 byte write-what-where to make the heap executable and run shellcode that follows seccomp rules.

Original writeup (https://www.willsroot.io/2020/04/tghack-2020-useless-crap-writeup.html).