ShipFast has three features — only one calls a shell command. Identify the injectable endpoint, confirm with a timing probe, and extract both flags from /app/secrets/.
