# Jellyspotters

## Challenge

The leader of the Jellyspotters has hired you to paint them a poster for their convention, using this painting program. Also, the flag is in \~/flag.txt.

nc umbccd.io 4200

Author: nb

## Solution

B64 encoded pickle string is loaded.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-e4603d7b1fefb2f77443ea8d73b58a1dae0d210f%2F35f4f9a7c7b3430e898e553101246fdd.png?alt=media)

Reference: <https://davidhamann.de/2020/04/05/exploiting-python-pickle/>

We can leverage the `__reduce__` method to call `os.system()` with `cat ~/flag.txt`.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-7b547366cd603b9108a66ec80a7097e6e2ff2e71%2F75afcd6be6074897baf166909d6fc4b1.png?alt=media)

Passing the b64 encoded string into the input, we get the flag.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-c8c7b753cc2269be7495041c2a1646e6cfcd3e73%2F0269343d05774da5a46bfa109ec88533.png?alt=media)