A vulnerable web app passes user input directly into a shell command. Review the source, understand the injection point, and exploit it to read the flag.
