Off-by-null. Corrupt heap metadata and trick `malloc()` into creating overlapping chunks, then:

1) Leak libc base address by printing out a smallbin libc pointer;
2) Overwrite `bk` of a fastbin chunk, in order to create a fake fastbin chunk. Overwrite `__malloc_hook` with a one_gadget address.