Rating:
This time the `read_flag` binary is protected by `apparmor`.
We can execute shellcode using the similar method like `APP Ⅰ`, then using some shebang trick like
`#!/read_flag`,
we are able to bypass the `apparmor`.
I choose to use `memfd_create` and `stub_execveat` to achieve these.
Read my [exploit](https://github.com/bash-c/pwn_repo/blob/master/Bamboofox2019_app/solve-2.py) for more details.
