Tags: sandbox namespace protobuf
Rating:
Bypass path check using null bytes, write to /proc/$pid/mem to get code execution in the init process, fork off a child with new user namespace and use the file write function to set up uid and gid mappings, then read the flag