Use the bit flip to enable usermode access to the memory region holding page directory entries for physmap and kernel base (the alternative virtual address based on direct memory offsets rather than the one from kallsyms). Then, enable usermode and writeable bit, and inject code to overwrite the brohammer syscall.

Original writeup (https://www.willsroot.io/2021/04/midnightsunquals-2021-brohammer-single.html).