1) Using the app.put('/api/directory*') route, we can achieve prototype pollution.
2) Using prototype pollution to change following variable values in child_process.spawn to get RCE. (CVE-2019-7609)
3) Using RCE to put an executable into /tmp directory of the server and run it to get the flag!

`Flag: ALLES{Gr3ta_w0uld_h4te_th1s_p0lluted_sh3ll}`

Click [here](https://blog.sud0u53r.com/2020/09/alles-ctf-2020-writeup-only-freights.html) for detailed writeup

Original writeup (https://blog.sud0u53r.com/2020/09/alles-ctf-2020-writeup-only-freights.html).