Tags: web pollution astinjection
The version of `flat` used seems to be vulnerable to prototype pollution, and we can find information on the payloads we can use, finding an example exploiting `pug`.
By having the exploit at hand, we can write a simple script which will send a POST request with the required `song.name` in the data, as well as with our payload.
The payload itself will allow us to do _Remove Code Execution_. More to the point, we will cat the flag file into the publically available `/static/js` folder, so we can navigate to it after the pollution exploit.