Rating:
https://spyclub.tech/2018/inctf2018-web-challenge-writeup/
Interesting, so `exec` not blacklisted was a mistake on your part and not the intended solution? Because it allows to bypass most of the protection -> exec takes string as an argument, and you could build any arbitrary string via `chr(x).__add__(...`. The only issue is the fact that exec won't give an echo, so you need to send data back via other channels (netcat, wget etc).