Escaping a chroot, seccomp, namespace sandbox by abusing syscall numbers and uid namespace uid of 0. Finally abusing command injection to read the flag:

http://blog.rpis.ec/2017/04/bctf-2017-boj.html