The writeup is available here: https://xarkes.com/b/hacklu-2019-babykernel-wu.html
TL;DR:
1. Compute real_cred offset in task_struct
2. Get current_task pointer
3. Get current_task->real_cred pointer
4. Overwrite current_task->real_cred->fsuid with 0
5. Read /flag