Navigating to the page given shows a calculator, as described.

We tried a few things at first, like causing an error:  
![](https://codimd.s3.shivering-
isles.com/demo/uploads/upload_37435ed3eab9da2748a3382349b0f6ff.png)

Or entering in a calculation that results in 0:  
![](https://codimd.s3.shivering-
isles.com/demo/uploads/upload_a1f71c50a3b977df725b2413e38a686d.png)

But after doing more research into the `eval()` function in Python - which was
most likely doing this calculation work, we realised that it could probably be
used to run some shellcode (ish). So we decided to use the `subprocess`
module, which allows you to run shell code in Python.

```  
__import__('subprocess').getoutput('ls')  
```

gaves us this:

```  
__pycache__ main.py prestart.sh templates test.txt  
```

Printing out `main.py` via  
```  
__import__('subprocess').getoutput('ls')  
```  
Printed out the entire `main.py` script that powers the site. A notable
variable is `maybe_this_maybe_not`, whose value is the flag.

**Flag**: `DUCTF{3v4L_1s_D4ng3r0u5}`  
**Further reading**: [Dangerous Python functions, like `eval()` and the
`subprocess` module](https://www.kevinlondon.com/2015/07/26/dangerous-python-
functions.html)

Original writeup (https://joyce.fyi/posts/ductf-2020/#addition).