Thank you for the information, I have solved the assessment.
Need to identify the working injection operator (|| or && or & or $() or and then find the proper payload to read the flag.txt (use o’bf’usc’at’ion or proper encoding and replace the filtered characters with environment variables or alternate characters)
Some time, the content of the flag.txt will appear with error message.
Currently working on this one, just keep getting hit with 302s so not sure where any purchase is. Do you know if I can use either download, copy, or move - will intercepting and injecting any of these commands work, or is there a specific one that’s the way in and if so do you know why? Thanks!