1. Read `current_task` ptr address based on provided `System.map`
2. Get `cred* cred` pointer
3. Overwrite `cred->fsuid` and `cred->fsguid`
4. Read `/flag`

Exploit here: https://github.com/justcatthefish/ctf/blob/master/2019-10-23-hacklu-ctf/baby_kernel2_pwn/solution.py

Written by disconnect3d

Original writeup (https://github.com/justcatthefish/ctf/blob/master/2019-10-23-hacklu-ctf/baby_kernel2_pwn/solution.py).