Stuck for a while on this, if anyone could help.
I understand it has to do something with race condition and sleep 0.314159265 is there for that.
Lock file can be hijacked before start of the script and potentially you could run 2 instances of binary.
-
Create lock file
-
Run binary
-
Remove lock file
-
Run binary
(First run will say error about lock file exisitng, but that’s exit)
For PPID I managed to leak it by creating directories, run binary and leak with error. For some reason it stays the same for few minutes (?)
Once you have control of PPID directory then you can list files and everything, except writing to file.*
Even if symlink is created find command is bound to fail to read any file
find "$temp_dir" -type f -size 4c -exec cat {} +