Utilizing Out-of-bounds write to overwrite an adjacent memory chunk to bypass login and using Format String Vulnerability to overwrite a check and overwrite return address on the stack to perform ROP.
Utilizing double free to create a fake chunk in the BSS section of the ELF and freeing the chunk into the unsorted bin by using Unsorted Bin Attack to leak libc and overwrite __free_hook.