This module was fun to go through as it covers the essentials on how to best utilize the tool. At the end of the module the task is to find the flag.txt file by using ZAP to discover interesting sites/pages and associated risks that could be leveraged to gain system access. It is at this point that I found myself researching more PHP URL injections than ZAP itself. Some notable commands that I beleive will be useful in future CTFs are as follows: ``` %26ls+-la+..%2F%26 ``` The above example is a simple `ls -la ../` command in order to understand what contents are within the directory. `%26find%20/%20-type%20f%20-name%20flag.txt%26` The provided example will utilize the find command to look for the file named flag.txt We can also add 'pwd' to list the full path to where the file was found . `%26pwd%26find%20/%20-type%20f%20-name%20flag.txt%26` `%26` is the URL-encoded '&' that chains to the next command. `%20` is the URL-encoded ' ' {space}. So the command translates to `find / -type f -name flag.txt` In the case of this module, I found the flag was hidden to the standard ls command but appeared when using the find command. To get the flag: `<IP>%26cat%20%2Fflag.txt` Fun. Using a stored cookie on a webpage is neat. You can take the cookie, decode it, and fuzz missing parts. Tools such as Burpsuite let you set options such as prefix and payload processing rules like if you need to encode the payload to match the original cookie format.