### TL;DR
Craft a malicious cookie via Padding Oracle to bypass a whitelist and do Command Injection to extract `flag.txt`.