Taking a careful look at index.js, we noticed that line 57 can call not only methods of converters but also methods of Object.prototype. Thus, we searched JavaScript reference for abusable methods of Object.prototype. After a while, we realized that when we set request.body.input to FLAG_(SessionID) and call Object.prototype.__defineSetter__, we can define a setter that leaks the code of flagConverter. Another request invoked the setter and leaked the code of flagConverter, so we got flag.