Bypass path check using null bytes, write to /proc/$pid/mem to get code execution in the init process, fork off a child with new user namespace and use the file write function to set up uid and gid mappings, then read the flag

Original writeup (https://github.com/LevitatingLion/ctf-writeups/tree/master/google_ctf_2020/sandbox_namespacefs).