newgrp is a setuid binary. During the startup of that process, if the vulnerable environment variable is set, dyld will open the requested file. Since stdin=0 / stdout=1 / stderr=2 should be the only open files, the next available file descriptor would be 3. So open() should give dyld that file descriptor.
newgrp will then drop it's privileges and run your shell, perhaps by calling exec() without forking another process. Since the file wasn't specified to close on exec, the shell will inherit the open file descriptor.
If we pass "echo "[something]" >&3" to stdin of newgrp, the echo will be executed in the new shell. Even though that shell is running as the logged in user, fd=3 was opened by root. So the result can be appended to any file you want.