Rating:

# Piranha Gun (stego 50)

This challenge gives you a shell under some namespaces isolation, and vaguely asks that you find "jungle.chest".

Because you're root in this namespace, you can `mount -t proc proc /proc` to restore procfs to aid in your exploration of this system.

With proc, you can notice that there's a mountpoint at `/chest`, but `/chest` is empty.

As it turns out, this mount is shadowing a file that is in the real `/chest` directory. You can `umount /chest` to view it.

This file is `/chest/jungle.chest`, which contains the flag.

Free fun fact: The `mount` command just uses `/etc/mtab` to show mounts, but `/etc/mtab` is not guaranteed to have anything to do with reality (in fact, you can use `mount -n` and `umount -n` to skip updating `/etc/mtab`, leaving it incorrect). In the case of this challenge, since `/etc/mtab` is from outside the namespace jail, `mount` will show the state of the system outside of the jail. So it doesn't include the `/chest` mountpoint! On linux, the way to get real mount information is to use `/proc/mounts`, or the more modern `/proc/self/mountinfo`.

Original writeup (https://github.com/pwning/public-writeup/blob/master/hitcon2015/stego50-piranha_gun/writeup.md).