Rating:

Taking a careful look at `index.js`, we noticed that line 57 can call not only methods of `converters` but also methods of `Object.prototype`.
Thus, we searched JavaScript reference for abusable methods of `Object.prototype`.
After a while, we realized that when we set `request.body.input` to `FLAG_(SessionID)` and call `Object.prototype.__defineSetter__`, we can define a setter that leaks the code of `flagConverter`.
Another request invoked the setter and leaked the code of `flagConverter`, so we got `flag`.