In this write-up, we demonstrate how exploiting a remote command injection in the dockerized script generating the audio allowed us to decode remotely the flag before exfiltrating it using text2speech.