1. A List of usernames and hashed password ( md5 ) can be found through an SQL Injection in the following URL

http://10.10.X.X/?file=article.php&id=0%20UNION%20SELECT%201,username,3,4,password%20from%20user%20LIMIT%200,1

There are 3 users in total but only jacob’s hash will be able to be cracked which will give you user login details of jacob / jacob123

2. Once logged in you’ll discovery you can’t do much unless you’re logged in as sarah. One thing you do find is a password reset form which works as a GET request with no CSRF protection.

3. Comment on one of the posts and a headless chrome instance logged in as sarah automatically views the post. Through either XSS or just putting the URL into an IMG tag you can reset sarah’s password e.g <img src=”http://10.10.X.X/?file=admin-password.php&password=password&c_password=password”>

4. Now logged in as Sarah you have the ability to create new articles as well as upload an image to go with it. Images must end in .jpg and have the correct content type header. But you can just basically upload any php you want and change the file extention to .jpg . Once uploaded the file name is a random hash with a .jpg extension. To get the PHP code to run you can utlisise an LFI http://10.10.x.x/?file=../public/uploads/8ec1614968b4614389da060b3cc84319.jpg you could use this to spawn a reverse shell and then view the flag in /flag.txt