Tags: elf seccomp sandbox pwn parsing 

Rating: 4.0

### TL;DR

After trying half a dozen different ideas, I came up with the following working solution

- ELF parser used by the binary skips program header table if `e_phoff == 0`

- Linux kernel will still load the ELF

- Exploit this with an ELF containing:

- `PT_LOAD` segment with `p_vaddr == 0x10000` to bypass `mmap()` restriction

- Shellcode to set up arguments and call `execve()`

For more details, check out the link below.

Original writeup (https://github.com/LevitatingLion/ctf-writeups/blob/master/google_ctf_quals_2018/pwn_283_execve_sandbox/README.md).