@jeremy @oj sorry, but no.

You've suggested "poison the access logs and execute them" despite the fact that the challenge uses a shell to `rm` the filename you give it; it doesn't execute it. You've also suggested "simply execute a system-level reverse shell" by "determining most-likely binary available in target OS to establish command exec" but you haven't shown _how_ to get command exec.

Now you're saying to wget something off of 127.0.0.1 without saying if you're doing that locally on your machine, or if you're doing it on the victim's machine - in which case you're nowhere near being able to execute arbitrary commands on their machine yet, and if you could why would you want to wget their localhost anyway?

You don't then get to say "in the meantime someone else already posted similar solutions" like you were on the right track. Sorry, but you just weren't.

The challenge was "how do you achieve command injection?" not "what would you do with command injection?"

The trick used in the solutions we know work was that file_exists() will honour a URL such as ftp:// to check the existence of a file, at which point you have various places inside a ftp:// URL to hide a command injection trigger (I originally used the username/password part, and bitquark used the fragment which I think is super clever)

Saying "nice trick" or "interesting, TIL" or "yeah gotcha that makes sense" would parse. Saying nothing at all would be appropriate. Saying "that's what I was saying all along!" which is how what you're saying sounds to me (but it might just be me) just doesn't make sense. Take the L.