1 files changed, 41 insertions, 0 deletions

diff --git a/chall/notes b/chall/notes
new file mode 100644
index 0000000..c6410c5
--- /dev/null
+++ b/chall/notes
@@ -0,0 +1,41 @@
+Setup a quick docker container with python2 and ply installed to test..
+
+Check out the source code..
+
+First thing we want to find is how the tokens are turned
+into python, since we ideally just want to write python.
+
+We find that tokens of type INLINE are directly injected.
+
+Looking at INLINE tokens we find some which are useful
+for calling functions:
+
+    "ARGZ": ("INLINE", "_lol_sys.argv"),
+    "THINGZ": ("INLINE", "()"),  # invisible tuple didn't sound right
+    "THING": ("INLINE", "()"),   # sometimes it's better in singular form
+    "MY": ("INLINE", "self."),
+    "MYSELF": ("INLINE", "(self)"),
+
+Looks like the sys module was imported as _lol_sys.
+The other tokens allow us to call functions.
+
+Varibles are injected directly too.. this allows us to call
+builtins by specifying the builtin name, followed by THING.
+
+Since we just want to run python code directly we'd
+like to call `eval` with a string. Strings are
+injected directly after some escape character checks.
+
+In the inline tokens we saw there is one that allows
+us to pass an argument.. MYSELF. For that we need
+to define self.. Lets do that as a simple variable
+instead of the normal definition of self.
+
+We find we can define self using CAN HAS..
+We can print the result of the eval using VISIBLE..
+
+Thus our payload becomes:
+
+   self CAN HAS '<PYTHON-CODE>'
+   VISIBLE eval MYSELF
+