Rating:

Cookie named 'cart' is an nodejs json deserialization vulnerability injection point.
Because of node-serialize's RCE vulnerability, we can do Remode Code Execution.

But we cannot get the feedback of command execution. Thanks to server side error feed-back, we can get the output with error-based command injection.

Attack with backtick(``) in bash sub command

Original writeup (https://eine.tistory.com/entry/NahamCON-CTF-2020-Write-ups).