Problem author's writeup.

Summary: smuggle in the IP command through the SNI of an HTTPS request (or, the unintended solution: redirect to an ftp:// URL with a very long username)