This exploit leaks libc and heap addresses, uses tcache poisoning to overwrite _IO_2_1_stdout_, and crafts a fake file structure to gain a shell via FSOP.

https://github.com/im-razvan/writeups/tree/main/x3CTF-2025/pwny-heap