Rating:
- Leak the flag filename through `sys.path_importer_cache["/app"]._path_cache`
- Read the flag through the `readline` library which has no audit hooks; go through the `rlcompleter` import to get access to it.
Full writeup with extra approaches and some import machinery exploration: https://ur4ndom.dev/posts/2024-02-11-dicectf-quals-diligent-auditor/