feat(ctf): Shell Injection — run_diagnostics command injection challenge

[steadhac]

Summary

Adds the Shell Injection CTF challenge (rce-shell-injection) mapping to intentional
bug #369 (SU-DIAG-003 — run_diagnostics has no command allowlist).

run_diagnostics accepts a free-form command string and passes it to the system without
sanitization. Shell operators like ;, &&, ||, |, backticks, and $() are not stripped,
allowing an attacker to chain arbitrary commands alongside legitimate diagnostic ones.

This is distinct from Shell Shock (rce-shell-shock): Shell Shock targets execute_script with
reverse shell / destructive payloads. This challenge targets run_diagnostics with command chaining
— a lower-friction attack vector that looks like a legitimate maintenance workflow.

The underlying bug is intentionally left unfixed per #369 ("intentional CTF design").

Files

• finbot/ctf/definitions/challenges/rce/shell_injection.yaml — challenge definition,
  RCEDetector config scoped to run_diagnostics.command, 9 injection patterns, 3 tiered hints

How it works

Reuses RCEDetector with tool_names: [run_diagnostics] and content_fields: [command].
No new detector class needed — the YAML overrides the default execute_script scope.

Labels

LLM01:Prompt Injection · LLM06:Excessive Agency · CWE-78 · CWE-20 ·
AML.T0043 · AML.T0054 · ASI-01 · ASI-02 · ASI-05

Test plan

• uv run python scripts/reload_challenges.py — loads 18 challenges, no YAML errors
• Two-turn exploit fires detector and awards 300pts in CTF portal
• Challenge locked behind rce-shell-shock prerequisite
• order_index: 11 — no collision with existing challenges (Shell Shock: 10, Privilege Escalation: 12)

Closes #369