The author's answer from irclog, thanks to riatre

elnx · web-flow · commit 87a9af175c18 · 2020-12-21T18:47:54.000+08:00
diff --git a/2020/hxpctf/stegernseer/hint.txt b/2020/hxpctf/stegernseer/hint.txt
@@ -0,0 +1 @@
+[23:13:37] <@hlt_> stegernseer: Use overflow in `reverse` operation to overwrite next pointer, then use CVE-2019-1010025 to brute-force ~8 bits of ASLR to get into the thread arena, pivot through the arena list into the main_arena and then overwrite xsputn in stdout with popen

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+[23:13:37] <@hlt_> stegernseer: Use overflow in `reverse` operation to overwrite next pointer, then use CVE-2019-1010025 to brute-force ~8 bits of ASLR to get into the thread arena, pivot through the arena list into the main_arena and then overwrite xsputn in stdout with popen