Exploit the web based ping command tool and capture the flag.
InsomniHack Smartcat1
Entering nothing or a ' renders the error: Error running ping -c 1 foo. Enumeration indicated the following characters were filtered $;&|({`\t Note, that included whitespace filtering.
I loaded up burp and went through the ASCII table for other ways of escaping the command. It was possible to use LF %0a to escape the existing command and enter another such as: dest=8.8.8.8%0als.
Viewing the source code of index.cgi confirmed the character filtering.
Flag
Entering dest=%0afind listed the current directory, revealing the path of the flag.