Leverage the allocation without size limit to mmap a chunk near libc. Leak will then be given and offset can be determined through debugging. Use the one byte write of 0x30 to change the second lowest byte of `_IO_buf_end` in `_IO_2_1_stdin_` when it is 0x2a (bruteforcing is required in my solution). Carefully start writing down towards `__malloc_hook` to replace it with a one gadget while preserving the file structures' contents. The last scanf call with %ms will trigger the heap, leading you to shell.

Original writeup (https://www.willsroot.io/2020/06/redpwnctf-2020-pwn-writeups-four.html).