1. Read current_task ptr address based on provided System.map
2. Get cred* cred pointer
3. Overwrite cred->fsuid and cred->fsguid
4. Read /flag

Exploit here: https://github.com/justcatthefish/ctf/blob/master/2019-10-23-hacklu-ctf/baby_kernel2_pwn/solution.py

Written by disconnect3d

Original writeup (https://github.com/justcatthefish/ctf/blob/master/2019-10-23-hacklu-ctf/baby_kernel2_pwn/solution.py).