**TL;DR**: Directory traversal vulnerability into source code leaks to identify Python backend with bottle-py. Identify pickling deserialization on `/sign` endpoint to get remote code execution to get the flag.
Original writeup (https://notateamserver.xyz/sekaictf-writeups/#bottle-poem).