TL;DL

Leak Libc address through unsorted bin chunks by partial overwrite.

Construct a fake file structure in a controlled area (concatenation of 2 chunks).

Overwrite File pointer using format string bug.

Get shell through calling fclose() \o/ !

Original writeup (https://pwn-diaries.com/post/pwn2win-2020-at_your_command/index.html).